"In a blog post late Monday, network security firm FireEye claims to have discovered a new iOS ‘flaw’ that allows a nefarious app to log touch events and button presses in the background, then send the data off to a remote server.
FireEye’s background monitoring proof-of-concept. | Source: FireEye
First spotted by ArsTechnica, the post describes a proof-of-concept that FireEye researchers say can collect and transmit potentially sensitive information while running in the background.
From what can be gleaned from FireEye’s blog, the supposed ‘flaw’ takes advantage of iOS’ built-in multitasking components, suggesting the attacking app must first be vetted and installed on an affected device to access legitimate APIs. Barring the side-loading of an app with private APIs, such as those certified for internal distribution through Apple’s remote management solution, the app would have to successfully sneak by the App Store review process in order to work."