Less than a week after WireLurker shocked the iOS community with its vulnerability, a new malware threat has been discovered that could be even more dangerous.
The FireEye mobile security research team announced today that they’ve discovered a new iOS malware threat called Masque Attack that mimics and replaces the legitimate apps on your iPhone with decoy apps that steal your personal information.
Masque Attacks are so lethally, they can replace your banking and email apps without you realizing it. The attack works by prompting you to install a fake update to a popular app like Flappy Bird, while secretly replacing your Gmail or banking app with a trojan horse masquerading as the real deal, only it’s designed to suck away all the personal data you feed it.
Here’s a video demo of how the attack works:
https://youtu.be/v9MNuQv0gPQ
The new vulnerability comes on the heels of WireLurker, which quickly spread through non-jailbroken iPhones in China last week. Apple quickly killed WireLurker by blocking the enterprise certificates it used to install malicious apps, but Masque Attack uses bundle identifiers to sneak its rotten apps onto your device.
Researchers discovered the Masque Attack works on iO 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, on both jailbroken and non-jailbroken devices. The attack can be leveraged on WiFi or USB, and can replace any iOS app other than the stock apps.
The Masque Attack is dangerous for a number of reasons. First, it mimics original apps to steal your login information. It can even read the data from the original app’s directory and steal any other sensitive data. Attackers can also leverage Masque Attack with the private APIs in iOS to monitor you in the background or steal your Apple ID and password.
FireEye notes that the vulnerability could be used to bypass the normal app sandbox to then get root privileges on your device by attacking known iOS vulnerabilities. We’ve reached out to Apple for a comment but haven’t heard back at this time.
To keep yourself protected from Masque Attack, iOS users should not install any apps unless they’re coming directly from the App Store. Do no click on “Install” if a pop-up from a website appears on your iPhone, no matter what it says. And if you open an app and iOS displays an alert that it’s from an “Untrusted App Developer” you should tap Don’t Trust and uninstall immediately.
Source: FireEye
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
13 responses to “iOS ‘Masque Attack’ vulnerability could be more dangerous than WireLurker”
Ummm… If non-jail broken iOS devices can only download approved apps through the App Store, how is it possible to get one of these masquerading apps on an iOS device that’s not jailbroken?
The method seems to be similar at the one that let you install a GBA emulator by visiting a web page before Apple fixed the “date trick”
I was thinking that too but it says 8.1 is vulnerable. I thought apple patched that.
Enterprise provision is a “legal” approach approved by Apple, not some vulnerability. It’s an important feature for enterprise IT managers to deploy proprietary Apps outside of iTunes App Store within enterprise.
Is this an enterprise provision install? I didn’t see him accept the provision, or did he accept it before he started the video? I have never messed with enterprise provisions so I don’t know if they can be accepted that long before you install the app.
Provision profile can’t bypass user confirmation. When you launch the app and it asks you to trust the identity, the provision profile will be installed if you approve it.
One may argue that Apple should ramp up the security level while installing such Apps, but it’s not a security exploit.
One thing that is missing in the article is how can people know if one app has already been replaced? The app store stops showing updates or something?
If the app has metadata the AppStore will show an update.
If someday your legitimate App asks you to trust an untrusted certification, and you’ll know.
It would be useful if iOS shows you what the app does when asking you to install.
(like what it accesses, modifies, connects to…etc)
So we have another malware that will utilize Apple approved technical approaches to install a fake Gmail app, which will first humbly ask you to allow it download and install on your device, and then humbly ask you to trust an untrusted certification, so that it can finally do something bad.
Wow the world is coming to an end.
I got worried until I saw the video, some people click on anything they get but if you are a bit wise you won’t get infected. I thought some how the update was through app store.
A couple of points I’d like to make here. One yes this is sideloading or working with the provisioning profile which is others have mentioned you can’t bypass user authentication so it’s not like you’re just clicking on a link and sadly it looks like you’ve been taken to the App Store. First you have to accept the provisioning profile and then click on another link to begin the download of this app that suddenly installs these fake apps. This is not a simple malware attack.
Secondly, I’m kind of disappointed in Cult of Mac for the way the article is both written as well as promoted it’s link bait and a fear tactic to spread. They’re usually much more balanced about this type of thing and not only that, they typically post about about how to prevent it or what you should look for to avoid… not just posting a simple video on out it’s accomplished shame on you Cult of Mac editors.