iOS ‘Masque Attack’ vulnerability could be more dangerous than WireLurker

By

Thought WireLurker was bad? Wait till you meet Masque Attack. Photo: Jim Merithew/Cult of Mac
Thought WireLurker was bad? Wait till you meet Masque Attack. Photo: Jim Merithew/Cult of Mac

Less than a week after WireLurker shocked the iOS community with its vulnerability, a new malware threat has been discovered that could be even more dangerous.

The FireEye mobile security research team announced today that they’ve discovered a new iOS malware threat called Masque Attack that mimics and replaces the legitimate apps on your iPhone with decoy apps that steal your personal information.

Masque Attacks are so lethally, they can replace your banking and email apps without you realizing it. The attack works by prompting you to install a fake update to a popular app like Flappy Bird, while secretly replacing your Gmail or banking app with a trojan horse masquerading as the real deal, only it’s designed to suck away all the personal data you feed it.

Here’s a video demo of how the attack works:


The new vulnerability comes on the heels of WireLurker, which quickly spread through non-jailbroken iPhones in China last week. Apple quickly killed WireLurker by blocking the enterprise certificates it used to install malicious apps, but Masque Attack uses bundle identifiers to sneak its rotten apps onto your device.

Researchers discovered the Masque Attack works on iO 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, on both jailbroken and non-jailbroken devices. The attack can be leveraged on WiFi or USB, and can replace any iOS app other than the stock apps.

The Masque Attack is dangerous for a number of reasons. First, it mimics original apps to steal your login information. It can even read the data from the original app’s directory and steal any other sensitive data. Attackers can also leverage Masque Attack with the private APIs in iOS to monitor you in the background or steal your Apple ID and password.

FireEye notes that the vulnerability could be used to bypass the normal app sandbox to then get root privileges on your device by attacking known iOS vulnerabilities. We’ve reached out to Apple for a comment but haven’t heard back at this time.

To keep yourself protected from Masque Attack, iOS users should not install any apps unless they’re coming directly from the App Store. Do no click on “Install” if a pop-up from a website appears on your iPhone, no matter what it says. And if you open an app and iOS displays an alert that it’s from an “Untrusted App Developer” you should tap Don’t Trust and uninstall immediately.

Source: FireEye