Apple iOS 'Masque Attack' Vulnerability Leaves Apps Open For Exploit
Are you sure that app on your iPhone is legitimate? If you've been careful not to fall for phishing scams, then chances are you're right. However, there's a new malware targeting iOS that's capable of spoofing and even overwriting legitimate apps you've downloaded from Apple's App Store, such as Gmail, for example.
How on the heels of the nasty WireLurker malware that's been infesting iOS devices, mobile security researchers at FireEye say they've discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace genuine apps installed on your phone, so long as both apps used the same bundle identifier. All apps can be replaced save for those that come pre-installed in iOS, like iMessage and FaceTime.
If you see this message, click on Don't Trust and uninstall the app right away.
According to FireEye, iOS doesn't enforce matching certificates for apps with the same bundle identifier, hence why the vulnerability exists. It's been verified in iOS versions 7.1 up through 8.1.1 beta, and it applies to both jailbroken and non-jailbroken devices. And unlike WireLurker, attackers can leverage the vulnerability through wireless networks or USB, not just USB.
Dubbed "Masque Attacker," the way it works is that an attacker first tries to trick an iPhone user into installing an app with a deceptive name. For example, you receive a link via text message or email to install New Flappy Bird. However, the infected file is up to no good and can replace any apps you've installed from the App Store. Even worse, the sensitive data in the original (and legitimate) app's directory remains in the malware local directory even after the legitimate app is replaced.
Since everything looks the same on the user's end, firing up a previously safe app like Gmail or a banking app is suddenly a security risk, allowing the attacker to steal the user's login credentials and other information. Pretty nasty stuff.
The good news is the Masque Attacker malware hasn't infiltrated the App Store, at least not that we know of. That makes it a bit easier to protect yourself -- avoid installing apps from third-party sources outside of Apple's App Store, avoid clicking on "Install" on a pop-up from a third-party webpage, and when opening app, if iOS shows an alert with "Untrusted App Developer," click on "Don't Trust" and uninstall it right away.
How on the heels of the nasty WireLurker malware that's been infesting iOS devices, mobile security researchers at FireEye say they've discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace genuine apps installed on your phone, so long as both apps used the same bundle identifier. All apps can be replaced save for those that come pre-installed in iOS, like iMessage and FaceTime.
If you see this message, click on Don't Trust and uninstall the app right away.
According to FireEye, iOS doesn't enforce matching certificates for apps with the same bundle identifier, hence why the vulnerability exists. It's been verified in iOS versions 7.1 up through 8.1.1 beta, and it applies to both jailbroken and non-jailbroken devices. And unlike WireLurker, attackers can leverage the vulnerability through wireless networks or USB, not just USB.
Dubbed "Masque Attacker," the way it works is that an attacker first tries to trick an iPhone user into installing an app with a deceptive name. For example, you receive a link via text message or email to install New Flappy Bird. However, the infected file is up to no good and can replace any apps you've installed from the App Store. Even worse, the sensitive data in the original (and legitimate) app's directory remains in the malware local directory even after the legitimate app is replaced.
Since everything looks the same on the user's end, firing up a previously safe app like Gmail or a banking app is suddenly a security risk, allowing the attacker to steal the user's login credentials and other information. Pretty nasty stuff.
The good news is the Masque Attacker malware hasn't infiltrated the App Store, at least not that we know of. That makes it a bit easier to protect yourself -- avoid installing apps from third-party sources outside of Apple's App Store, avoid clicking on "Install" on a pop-up from a third-party webpage, and when opening app, if iOS shows an alert with "Untrusted App Developer," click on "Don't Trust" and uninstall it right away.
