Over 40,000 iOS Apps Found Exploiting Private Entitlements, Zimperium

A new report from Zimperium is alerting users about growing threats facing iOS devices, particularly those tied to unvetted and sideloaded mobile apps. While iPhones are often viewed as secure by design, the company’s analysis reveals how certain apps can quietly bypass Apple’s protections, leaving users and enterprises exposed.

The report, which draws from real-world incidents and active threat research, outlines how attackers are increasingly targeting iOS through methods like privilege escalation, the misuse of private APIs, and sideloading exploits that bypass Apple’s app review process entirely.

Mobile devices have become central to business operations. However, as Zimperium points out, most organizations still overlook one of the most common weak spots: third-party apps, especially those not sourced from the official App Store.

Even apps that appear harmless can abuse permissions or carry hidden malicious code. A flashlight app requesting access to your contacts or microphone might not raise immediate suspicion, but Zimperium stresses that these kinds of requests can lead to sensitive data exfiltration or system compromise.

Third-party app stores and sideloaded apps are an even greater risk. These apps bypass Apple’s security checks and may exploit undocumented features or embed harmful components that can silently track users or access corporate systems.

Zimperium’s report highlights a series of real-world examples where threat actors have successfully exploited iOS flaws.

TrollStore, for instance, uses known vulnerabilities in Apple’s CoreTrust and AMFI modules to sideload apps with modified entitlements. These entitlements, normally restricted to system-level functions, can allow an app to bypass sandboxing or spy on users without detection.

Apps distributed through TrollStore are often disguised as harmless tools but may secretly access system logs, record audio, or connect to external servers. This opens the door for full-device compromise.

One such framework that builds on this technique is SeaShell, a publicly available post-exploitation tool that gives attackers remote control of compromised iPhones. SeaShell lets threat actors extract data, persist on the device, and manipulate files using a secure connection. Zimperium has already observed live malware samples based on SeaShell being shared through unofficial channels.

Another case, MacDirtyCow (CVE-2022-46689), involves a race condition in the iOS kernel that allows temporary changes to protected system files. Although the changes don’t survive a reboot, they’re long enough to tamper with iOS permissions or bypass restrictions. A newer vulnerability, known as KFD, targets updated iOS versions using similar methods.

Together, these exploits show how attackers can escalate access far beyond what the user has granted, often without leaving clear traces.

The stakes are high. Data breaches caused by app-based attacks can result in financial losses, regulatory penalties, and long-term damage to reputation. Industries governed by strict compliance rules, such as healthcare or finance, are particularly at risk.

Zimperium reports that it has identified over 40,000 apps using private entitlements and more than 800 relying on private APIs. While some of these may be legitimate in-house tools, many are not. Without proper vetting, it becomes nearly impossible to separate safe apps from dangerous ones.

Zimperium recommends organizations take a multi-layered approach:

• Implement strict app vetting before allowing apps on corporate devices. This includes static and dynamic analysis to catch suspicious behaviours like privilege abuse, API misuse, or sandbox evasion.

• Monitor permissions and reject apps that request excessive access not justified by their function.

• Detect sideloaded apps and third-party store use, which are common pathways for malware.

• Analyze developer credentials to validate the source of the app and identify reputational risks.

In addition, Zimperium’s Mobile Threat Defense (MTD) platform offers automated detection for sideloaded apps, system compromise, and behavioural anomalies. These tools help identify threats early and block malicious activity before it spreads.

As attackers continue to find new ways to bypass mobile security, organizations must shift their focus from reactive controls to preemptive analysis. App vetting is no longer optional, it is a key part of securing mobile endpoints.

With active threats like TrollStore and SeaShell in circulation, and exploits like MacDirtyCow and KFD still being abused, mobile security teams have little room for error. The message from Zimperium is clear: don’t trust an app just because it runs on iOS. Know what it does, where it comes from, and how it behaves.

For more technical insights, visit Zimperium’s blog post.