Vietnamese Banking Apps Caught Using Private iOS APIs to Spy on Users
2025-03-31
Two popular Vietnamese banking apps, BIDV SmartBanking and Agribank Plus, have been found to use hidden private iOS APIs to detect other apps installed on users' iPhones. Security researchers discovered that the apps, developed by VNPay, leverage commercial mobile app protection software and custom code called "VNPay Runtime Protection." This code exploits a side-channel vulnerability in a private iOS API to identify apps and uses weak XOR encryption to hide API strings. This violates Apple's App Store policies and risks app removal, impacting millions of users. The incident is unrelated to a mobile security solution, BShield.