Preventing Malicious Mobile Apps from Taking Over iOS through App Vetting

Introduction

Mobile devices, particularly those running iOS, are widely assumed to have robust security and privacy features. However, no operating system is foolproof, and one of the most significant vulnerabilities arises not from the system itself but from the apps users install. Most organizations fail to recognize that the non-work related apps on corporate devices may inadvertently open the door to attackers to steal sensitive data, including corporate credentials.

Malicious mobile apps can exploit permissions, introduce malware, or exfiltrate sensitive data, often without users realizing the extent of their access. While Apple’s App Store has good review processes, sideloaded apps or apps from less reputable sources pose a particularly high risk. In an era where mobile devices are integral to business operations, neglecting app vetting can lead to severe consequences, including data breaches, compliance failures, and reputational harm.

Organizations can significantly reduce these risks by focusing on proactive app vetting and establishing clear policies for app usage. This blog post explores the importance of app vetting and provides actionable steps to help organizations safeguard their mobile ecosystems.

The Business Impact of Neglecting App Vetting

Failing to ensure that apps are secure can have far-reaching consequences for organizations, particularly in industries where data security and compliance are critical. Below are some of the most common risks organizations face:

1. Data Leakage: Unvetted apps may request and misuse permissions to access sensitive data such as emails, customer records, or intellectual property. Once the app gains access, it can exfiltrate this data to unauthorized third parties, leading to financial loss, legal exposure, and reputational damage. This was covered in previous blogs. 
2. Malware Infections: Apps that users have downloaded from outside of the official app store (known as sideloaded) may carry malware designed to execute malicious functions like stealing login credentials or 2FA codes. This can cripple operations and incur significant remediation costs.
3. Regulatory Non-Compliance: Many industries require organizations to safeguard customer and business data under GDPR, HIPAA, or CCPA regulations. Data leaks or breaches caused by unvetted apps may result in hefty fines and legal action, further compounding the financial and reputational damage.
4. Loss of Trust: Breaches caused by unvetted apps can undermine trust and brand reputation among customers, investors, and partners. Rebuilding this trust can take years and require significant investment.

In the modern workplace, where mobile devices play a critical role in business operations, permitting unvetted apps on corporate devices significantly elevates the risk level, as organizations inadvertently expose themselves to malware, privilege escalation attacks, and data breaches.

The consequences are clear: businesses that fail to implement and enforce app vetting processes risk compromising their operations, their data, and, finally, their reputation. To mitigate these risks, it is essential to establish strict policies around app installations, restrict sideloading where possible, and adopt a proactive approach to identifying and addressing vulnerabilities in the apps employees use.

The Origin of Risky App Installation on iOS

Depending on the source of an app — whether it comes from Apple’s App Store or through third-party app stores and sideloading — different types of risks emerge, each requiring specific considerations during the vetting process.

In the case of the official AppleApp Store, the primary concern lies in apps exploiting permission fatigue. These apps often request excessive or overly broad permissions that extend far beyond their stated functionality. For example, a simple flashlight app might request access to location services, contacts, or even the camera, raising red flags about potential misuse. While Apple’s review process helps mitigate some of these issues, no system is infallible, and subtle manipulations can slip through.

In contrast, apps from third-party app stores and sideloading pose an even more severe threat. These distribution channels bypass Apple’s review process entirely, allowing malicious actors to embed malware, spyware, or exploitative functionality into apps. Such apps might exfiltrate sensitive company data, create backdoors, or exploit undocumented APIs to bypass system protections, escalating their capabilities far beyond what users initially perceive.

The Threats of Third-Party App Stores and Sideloading

Apps distributed via third-party app stores or sideloaded using developer tools often lack transparency and proper security oversight. These apps are fertile ground for malicious actors to embed malware, spyware, or exploitative code. This hidden functionality can range from exfiltrating sensitive company data to creating backdoors for further attacks.

For example, a sideloaded app might exploit undocumented iOS APIs or escalate its privileges to bypass system protections, allowing unauthorized access to sensitive resources. Similarly, apps from third-party stores often request excessive permissions, enabling actions far beyond their stated purpose, such as tracking user activity or accessing corporate networks.

The absence of standardized app vetting makes it easy for attackers to disguise malicious functionality, creating a false sense of security for users and organizations alike.

Preparing for the Next Line of Defense

Effectively mitigating the risks caused by unvetted apps requires a thorough understanding of how these risks can evolve into larger threats. Issues such as excessive permissions, misuse of private APIs and malicious code represent forms of privilege escalation and are not just isolated problems — they often serve as entry points for more significant compromises. Addressing these risks lays the groundwork for tackling more advanced threats, ensuring that organizations can proactively defend against potential escalations and safeguard their mobile ecosystems.

The following part of this blogpost delves into how privilege escalation attacks work, their potential impact on organizations, and how a thorough, standardized app vetting process can act as a crucial defense against these threats.

Privilege Escalation on iOS

Privilege escalation occurs when an attacker gains higher permissions or capabilities than originally intended (either through the usage of an app or via other means), enabling unauthorized access to sensitive system functions or data. On iOS this typically involves exploiting weaknesses in how the system enforces app permissions and sandboxing. These attacks allow malicious actors to bypass iOS’ssecurity model, designed to isolate apps from each other and limit their access to system resources. Once an attacker successfully escalates privileges, they can execute harmful actions that would otherwise be blocked, such as accessing restricted files, injecting malicious code, or installing persistent malware.

There are three primary techniques used to achieve privilege escalation on iOS:

• Abusing Permissions: Permissions define what an app can do, such as accessing the camera, microphone, or location data. Malicious actors often request excessive permissions under the guise of legitimate functionality, tricking users into granting access to sensitive data or capabilities.
• Abusing Entitlements: Entitlements are special privileges that are part of the app’s signature and can be used to access system-level features, such as network extensions or file system operations. While legitimate apps use these entitlements for authorized purposes, attackers can embed private entitlements into malicious apps to gain unauthorized capabilities.
• System Exploits for Privilege Escalation: iOS apps operate within a "sandbox," a secure, isolated environment that prevents them from interfering with other apps or the operating system. However, attackers may exploit vulnerabilities in iOS to escape the sandbox and interact with other processes or system components. This allows malicious apps to leverage the capabilities of trusted processes to execute their payloads. During 2024, 34 CVEs that could be used for this purpose were disclosed. In 2025, this number is, so far, 16 CVEs. 

To illustrate how privilege escalation vulnerabilities manifest in real-world scenarios, let’s examine two notable case studies: TrollStore and SeaShell Malware, and MacDirtyCow.

These examples highlight the diverse techniques attackers use to exploit permissions, entitlements, and sandbox vulnerabilities, underscoring the critical need for thorough app vetting and proactive security measures. Each case demonstrates how seemingly secure environments can be compromised, revealing the importance of identifying and addressing these risks early.

Case Study – TrollStore and SeaShell Malware

TrollStore

TrollStore is a powerful tool that has gained attention for its ability to sideload apps permanently onto iOS devices, bypassing the restrictions imposed by Apple’s App Store and standard security frameworks. By leveraging two memory corruption vulnerabilities — CVE-2022-26766 and CVE-2021-30937 — in the Apple Mobile File Integrity (AMFI) and CoreTrust components, TrollStore enables users to resign apps with arbitrary entitlements. This capability is significant because private entitlements, normally reserved for iOS system components, can grant apps access to sensitive system features and functionalities not intended for third-party use. TrollStore affects iOS versions 14.0 through 16.6.1, as well as version 17.0, highlighting its broad reach and the ongoing relevance of this sideloading technique in the evolving iOS security landscape.

The ability of TrollStore to resign apps with arbitrary private entitlements introduces significant risks, particularly when it comes to modified applications downloaded from third-party app stores. These modified apps often attract users by offering enhanced features or bypassing in-app purchases, but they can also harbor hidden dangers. Malicious actors can embed private entitlements into these apps, granting them access to sensitive system functionalities without the user’s knowledge. For example, a modified messaging app (widely installed through TrollStore) silently gains the ability to access device logs, record audio, or bypass network restrictions — capabilities never disclosed to or expected by the user. These hidden entitlements can turn a seemingly harmless app into an effective tool for surveillance, data exfiltration, or privilege escalation, posing significant risks to both individual users and organizations.

SeaShell Malware: A Post-Exploitation Framework

Building on the capabilities of TrollStore, the SeaShell Malware represents a sophisticated open-source post-privilege escalation framework designed to take control of iOS devices remotely.

The capabilities of the SeaShell Framework are both powerful and concerning. SeaShell enables attackers to generate a malicious IPA file that, once installed via TrollStore, establishes an encrypted connection with the attacker’s server. This interactive session grants attackers full control over the compromised device, allowing them to extract sensitive data, manipulate system files, and execute privileged commands.

At its core, SeaShell relies on a payload called Pwny, a sophisticated implant that supports a wide array of post-exploitation features:

• Remote Access: Once the malicious IPA file is installed and opened, SeaShell establishes a secure connection to a remote attacker-controlled server.
• Data Exfiltration: Through interactive shell commands, attackers can extract sensitive information, such as Safari history, SMS data, and even address book contacts.
• Persistence via Hooking: The framework allows payloads to persist by injecting them into legitimate app bundles. When the host app is launched, a new remote connection is established automatically.
• Extensibility: The framework supports custom post-exploitation plugins, enabling attackers to tailor attacks to specific targets.

The potential for abuse with SeaShell is significant, particularly given its public availability and ease of deployment. While the framework was created to raise awareness about iOS security vulnerabilities, malicious actors have already adapted it for nefarious purposes. Live samples of malware leveraging the SeaShell Framework have been detected in the wild, often distributed via third-party app stores.

The combination of tools like TrollStore and frameworks like SeaShell underscores the importance of rigorous app vetting and proactive security measures. Apps modified or distributed outside the official App Store pose an outsized risk to users and organizations, especially when vulnerabilities like CoreTrust remain a factor. Organizations must scrutinize IPA files for suspicious executables, unexpected Info.plist entries, or signs of tampering. These proactive measures can help prevent the installation of malicious software and protect devices from privilege escalation attacks.

Case Study – MacDirtyCow

MacDirtyCow (CVE-2022-46689) is a critical security vulnerability in iOS versions 14.0 to 16.1.2 (excluding 15.7.2) that allows attackers to temporarily overwrite files in memory, even on the protected system volume. This vulnerability arises from a race condition in how iOS's XNU kernel handles copy-on-write (COW) operations for memory pages.

When a memory page is marked as both read-only and copy-on-write, the kernel creates a new copy of the page during a write operation to maintain the integrity of the original. However, MacDirtyCow exploits a small window of time between the read-only check and the creation of the new page, enabling an attacker to inject malicious changes into the page in memory. While these changes are temporary and do not persist after a reboot, they offer a powerful mechanism for privilege escalation and tampering with sensitive system data.

Risks Associated with MacDirtyCow

The risks posed by MacDirtyCow extend far beyond its technical complexity, as it allows attackers to manipulate critical system files temporarily. One of the most concerning attack vectors involves tampering with the Transparency, Consent, and Control (TCC) database, a critical component of iOS that governs app permissions.

Through MacDirtyCow, attackers can:

1. Modify TCC Permissions: Malicious actors can alter entries in the TCC database, granting unauthorized apps access to sensitive resources like the camera, microphone, or location services without user consent.
2. Bypass App Restrictions: Attackers can override system-enforced restrictions, enabling apps to perform actions outside their designated sandbox.
3. Facilitate Further Exploits: By injecting malicious data into system processes, MacDirtyCow can serve as a stepping stone for more severe privilege escalation attacks or system compromise.

While MacDirtyCow demonstrates how vulnerabilities can trigger unauthorized system modifications, another related vulnerability, known as KFD (CVE-2023-23536, CVE-2023-41974, CVE-2023-32434), extends this risk to newer iOS versions, further complicating the security landscape.

KFD affects iOS versions up to 16.5 and allows attackers to achieve the same level of access as MacDirtyCow, enabling unauthorized file manipulation and system tampering. While the techniques behind KFD differ from those used in MacDirtyCow, the outcome is similar. Notably, KFD and MacDirtyCow are often used in conjunction to target different versions and devices, ensuring a broader attack surface. By leveraging these vulnerabilities together, attackers can exploit a wider range of iOS environments, further amplifying the risks and emphasizing the necessity for robust security measures and app vetting processes.

At Zimperium, we have identified hundreds of live samples in third-party app stores leveraging the MacDirtyCow and KFD vulnerabilities. These apps exploit the vulnerabilities to alter system-level settings, enabling behaviors that are typically restricted by iOS. While some of these apps present themselves as harmless customization tools, their underlying use of MacDirtyCow and KFD poses significant security risks.

These apps have been observed tampering with critical system files to bypass permissions or enable unauthorized actions. Their presence in third-party app stores highlights the risks posed by unvetted apps and the urgent need for stringent app vetting practices to prevent the exploitation of such vulnerabilities.

Zimperium’s advanced app vetting capabilities are specifically designed to detect and flag such exploits. By identifying apps that leverage vulnerabilities like MacDirtyCow and KFD, we help organizations stay ahead of these evolving threats, ensuring the integrity and security of their mobile ecosystems.

The Role of Vetting in Detecting Privilege Escalation Attempts

A robust app vetting process is essential to detect and thwart escalation attempts. Vetting must go beyond basic checks to include comprehensive analysis methods:

1. Static Analysis: This involves examining the app’s binary to identify known vulnerabilities, hidden exploits, or malicious patterns. Static analysis helps uncover potential misuse of private APIs, improper implementation of entitlements, or embedded backdoors.
2. Dynamic Analysis: Observing an app’s behavior during runtime is critical to identifying hidden actions that may not be apparent in the results of the static analysis. This includes detecting unauthorized file modifications, abnormal network activity, or sandbox escape attempts.
3. Permission Analysis: Ensuring requested permissions align with the app’s functionality helps prevent permission misuse or overreach. For example, apps requesting access to system-level features or sensitive data without justification should raise red flags. In addition, identifying permissions that are both dangerous and not usually asked by other apps in the same category helps identify red flags.
4. Vendor Validation: Verifying the credibility of the app developer or source adds another layer of assurance. Developers with a history of producing secure, trustworthy software are less likely to introduce vulnerabilities.

Such a rigorous vetting framework helps to uncover concealed threats and ensures that only safe, compliant, and trustworthy apps are deployed on your organization’s mobile devices.

The next sections delve deeper into the key indicators of potential escalation attempts, including unusual behavior, private API usage, and permission misuse. These factors demonstrate how comprehensive vetting can protect against the risks highlighted in the case studies.

Unusual Behavior

Unusual behavior refers to patterns of app activity that deviate from what is expected based on the app’s stated functionality. Detecting such behavior involves a combination of static analysis and dynamic analysis, which are crucial for identifying privilege escalation attempts and other security risks. For instance, an app exhibiting capabilities beyond its stated functionality — such as attempting to escape the iOS sandbox or modify system-level files — can be flagged early. 

At Zimperium, dynamic analysis techniques have successfully identified numerous apps with hidden behaviors indicative of privilege escalation, enabling organizations to mitigate risks before deployment.

Private API/Entitlement Usage

Detecting the use of private APIs or private entitlements is a critical component of app vetting. Private APIs are undocumented or restricted APIs not intended for third-party use, while private entitlements are system-level privileges reserved for Apple or specific trusted applications. As we have seen in the previous case studies the misuse of these resources can enable apps to bypass security controls, gain unauthorized access to sensitive data, or escalate privileges.

• Detection of Private API Usage: This involves identifying function calls to restricted system resources during both static and dynamic analysis.
• Detection of Private Entitlement Usage: This entails analyzing app signatures and configuration files for the presence of unauthorized entitlements.

The importance of detecting private API and entitlement usage is underscored by the prevalence of this behavior. At Zimperium, we have identified over 40,000 apps leveraging private entitlements, with more than 800 apps making use of private APIs. While some of these cases are legitimate for in-house apps, many represent clear violations of security policies.

Permission Misuse

Permission misuse occurs when apps request permissions that are too broad or unnecessary for their functionality, violating the principle of least privilege. Examples include a flashlight app requesting access to location services or a password manager requiring access to the microphone. This behavior not only raises privacy concerns but also increases the risk of privilege escalation attacks if permissions are exploited maliciously.

• Detection of Permission Misuse: Through permission analysis, requested permissions are compared against the app’s stated functionality. Permissions that appear unnecessary or overly broad are flagged for further review.
• Risk-Based Recommendations: At Zimperium, we closely analyze permissions requested by apps and provide actionable recommendations to help organizations assess their risk levels. Apps that demand excessive or unwarranted permissions are flagged as potentially dangerous, enabling businesses to make informed decisions about their deployment. In addition, Zimperium highlights the commonality of the permissions requested by an app compared to other apps in the same category in the store.

Permission analysis has proven invaluable in preventing privilege escalation attempts. By identifying apps that overreach in their permission requests, organizations can minimize their exposure to potential attacks and ensure compliance with security best practices. Zimperium’s continuous focus on permission vetting helps businesses protect sensitive data and maintain the integrity of their mobile ecosystems.

Conclusion

iOS devices are trusted for their strong security features, but threats arising from permission misuse, private API exploitation, or malicious app behavior can expose organizations to significant risks, including privilege escalation attacks, data breaches, and regulatory non-compliance. As demonstrated in the case studies of TrollStore, SeaShell, MacDirtyCow, and KFD, attackers continually devise new ways to exploit these risks and compromise security.

App vetting serves as a critical defense against these threats by identifying and mitigating risks before they impact users or organizations. Through static analysis, dynamic analysis, and permission evaluation, Zimperium’s advanced technology helps uncover hidden exploits, detect suspicious activity, and ensure that only safe and compliant apps are deployed.

Moreover, Zimperium’s MTD can mitigate these risks further by: 

• Third-party app stores detection: third party stores are the main source of malicious apps due to the lack of vetting. 
• Sideloaded applications detection: identifying apps that are manually installed outside official channels. 
• System compromise detection: monitoring for anomalous behaviours and indicators of compromises that evidence that the system was exploited. 

With over 40,000 apps leveraging private entitlements and hundreds of live samples exploiting vulnerabilities like MacDirtyCow and KFD, the importance of proactive app vetting cannot be overstated. Zimperium’s expertise and cutting-edge solutions enable organizations to safeguard their mobile ecosystems, reduce their attack surface, and maintain the trust of their users. By partnering with Zimperium, businesses can stay ahead of evolving threats and ensure the integrity of their mobile operations.