Siri Shortcuts, Apple’s recently introduced native feature for iOS 12, can potentially be abused by threat actors to deliver malware to unsuspecting mobile device users, researchers are warning.
The tool allows users to quickly execute and automate multiple-step tasks with just a single tap or voice command. Device owners who download the Siri Shortcuts app from the Apple Store can customize the feature to create their own personal shortcuts, while third party developers can also incorporate this functionality into their own apps, allowing them to push shortcut suggestions to users’ lock screens.
However, attackers could easily trick users into opening malicious shortcuts designed to extort individuals and spread like worms to other device owners, according to a Jan. 31 company blog post from IBM.
For instance, a malicious shortcut could arrive in the form of a threat designed to make recipients believe that a remote attacker has stolen their data and is demanding payment for its safe return.
“Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice,” explains the blog post, authored by John Kuhn, senior threat researcher at IBM. “To lend more credibility to the scheme, attackers can automate data collection from the device and have it send back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.”
The shortcut could even automatically access the Internet and pull up a URL instructing victims how to pay with cryptocurrency wallets, Kuhn adds.
In an attempt to further amplify the damage, attackers could also configure the shortcut to propagate itself across multiple devices by sending messages to victims’ contact lists, likely prompting several more device owners to download the malicious shortcut.
Through an IBM spokesperson, Kuhn told SC Media that “Apple collaborated with IBM on the Siri Shortcut findings and validated the recommendations we provided in the blog post.” SC Media has also reached out to Apple for comment.
To help mobile device users avoid such schemes, IBM recommends they only install shortcuts from trust sources, review shortcut permissions for suspicious requests, and use the “show actions” button before installing a shortcut to better understand its underlying behavior.