'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.


Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Top Rated Comments

Tumbleweed666 Avatar
98 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
Score: 42 Votes (Like | Disagree)
mercuryjones Avatar
98 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Score: 37 Votes (Like | Disagree)
Shlooky Avatar
98 months ago
Moral to the story, never side load :)
Score: 36 Votes (Like | Disagree)
wxman2003 Avatar
98 months ago
So this basically affects stupid people who click on links to sideload apps.
Score: 24 Votes (Like | Disagree)
centauratlas Avatar
98 months ago
...the vulnerability on July 26...

That is a very long time to not have a fix released.
Score: 17 Votes (Like | Disagree)
TheBuffather Avatar
98 months ago
This is a pretty legit vulnerability. Cunning.
Score: 15 Votes (Like | Disagree)

Popular Stories

apple ar headset concept 1

Apple's Headset Said to Feature 14 Cameras Enabling Lifelike Avatars, Jony Ive Has Remained Involved With Design

Friday May 20, 2022 6:50 am PDT by
Earlier this week, The Information's Wayne Ma outlined struggles that Apple has faced during the development of its long-rumored AR/VR headset. Now, in a follow-up report, he has shared several additional details about the wearable device. Apple headset render created by Ian Zelbo based on The Information reporting For starters, one of the headset's marquee features is said to be lifelike...
anker 563 dock ports

Anker's Latest USB-C Docking Station Brings Triple-Display Support to M1 Macs

Wednesday May 18, 2022 7:06 am PDT by
While Apple's early M1-based Macs can only officially support a single external display, there are ways around the limitation. Anker is launching a new 10-in-1 USB-C docking station today which delivers just that. The Anker 563 USB-C dock includes two HDMI ports and a DisplayPort port, and it leverages DisplayLink to carry multiple video signals over a single connection. Given that this hub...
apple data auction iphone privacy ad

Apple Highlights iPhone's Latest Privacy Features in New 'Data Auction' Ad

Wednesday May 18, 2022 9:00 am PDT by
Apple today shared a new ad highlighting iPhone privacy features like App Tracking Transparency and Mail Privacy Protection that are designed to give users more transparency and control when it comes to their personal data being collected. The ad revolves around a young woman named Ellie who discovers that her personal data is being sold at an auction house, with bids being placed on her...
Prosser Series 8 3

Apple Watch Series 8 Rumored to Feature New Design With Flat Display

Wednesday May 18, 2022 6:21 am PDT by
The Apple Watch Series 8 could feature an all-new design with a flat display, according to the leaker known as "ShrimpApplePro." In his latest video on the YouTube channel Front Page Tech, Jon Prosser highlighted information from ShrimpApplePro that suggests the Apple Watch Series 8 could feature a flat display in what seems to be a design originally rumored for the Apple Watch Series 7. ...
sony headphones 1

Sony's New WH-1000XM5 Headphones vs. Apple's AirPods Max

Friday May 20, 2022 12:18 pm PDT by
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max. Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...
iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
apple ar headset concept 2

Apple's AR/VR Headset Nearing Completion as Board Gets Demo

Thursday May 19, 2022 9:52 am PDT by
Apple last week demonstrated its upcoming AR/VR headset to Apple board members, indicating that the device is in an advanced stage of development and could see a debut in the not too distant future, reports Bloomberg. Apple has also ramped up development of the software that runs on the headset, with that software expected to be called "RealityOS," or rOS for short. Render via designer Ian ...