New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.


Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.


Top Rated Comments

(View all)

27 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
Rating: 42 Votes
27 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Rating: 37 Votes
27 months ago
Moral to the story, never side load :)
Rating: 36 Votes
27 months ago
So this basically affects stupid people who click on links to sideload apps.
Rating: 24 Votes
27 months ago

...the vulnerability on July 26...


That is a very long time to not have a fix released.
Rating: 17 Votes
27 months ago
This is a pretty legit vulnerability. Cunning.
Rating: 15 Votes
27 months ago

That is a very long time to not have a fix released.


No kidding. Too busy with Sapphire Furnaces. :mad:
Rating: 12 Votes
27 months ago
This isn't some big security hole. Quit acting like it's a huge deal other than for those that are too stupid for their own good. If you're an idiot and install unconfirmed profiles, that's your own fault. It's no different than asking you for your computer password and then being surprised when someone installs what they want with the password you've just given them. You've been able to do this on iOS for years.

This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
Rating: 12 Votes
27 months ago
I'll repeat this - the bigger issue is that this security hole exists and that apps can be overwritten.

Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
Rating: 10 Votes
27 months ago
Hello Android Problems, Welcome to Apple Land.
Rating: 9 Votes

[ Read All Comments ]