Black-hat hackers are exploiting podcast applications, specifically Apple Podcasts, as a new attack vector, according to recent findings by Joseph Cox of 404 Media. This vulnerability allows for unsolicited app launches and potentially further system compromises.
Over several months, Apple Podcast applications on both an iPhone and a Mac exhibited unusual behavior. Podcasts, predominantly religious in nature, launched automatically without user prompting or subscription. The metadata associated with these unsolicited podcasts contained suspicious elements, including personal email addresses, multilingual faith-related phrases, and concerning code sequences.
Patrick Wardle, a macOS security expert and founder of Objective-See, stated, “The most concerning behavior is that the app can be launched automatically with a podcast of an attacker’s choosing. I have replicated similar behavior, albeit via a website: simply visiting a website is enough to trigger Podcasts to open (and a load a podcast of the attacker’s choosing), and unlike other external app launches on macOS (e.g., Zoom), no prompt or user approval is required.”
This automated launch capability raises concerns about potential unauthorized access to device peripherals. If an application like Zoom, which controls camera functions, could be activated similarly without user intervention, it suggests a pathway for malicious podcasts to potentially activate webcams or microphones unknowingly. Users may consider alternative podcast applications, such as Pocket Casts, to mitigate this risk.
