In the market for an iPhone? Here's a breakdown of all the currently shipping iPhones from Apple.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.
Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.
As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."
While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.
Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.
As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."
While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.
iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.
[ 360 comments ]
Top Rated Comments
(View all)
68 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------
Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
------------
Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
68 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
68 months ago
So this basically affects stupid people who click on links to sideload apps.
68 months ago
...the vulnerability on July 26...
That is a very long time to not have a fix released.
68 months ago
This isn't some big security hole. Quit acting like it's a huge deal other than for those that are too stupid for their own good. If you're an idiot and install unconfirmed profiles, that's your own fault. It's no different than asking you for your computer password and then being surprised when someone installs what they want with the password you've just given them. You've been able to do this on iOS for years.
This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
68 months ago
That is a very long time to not have a fix released.
No kidding. Too busy with Sapphire Furnaces. :mad:
68 months ago
I'll repeat this - the bigger issue is that this security hole exists and that apps can be overwritten.
Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
[ Read All Comments ]
Samsung at CES unveiled the T7 Touch SSD, a follow-up to its super popular T5 SSD. The T7 Touch is now available for purchase, and Samsung sent us a 500GB model for review purposes.
Design wise,...
Apple plans to make its HomePod speaker available in India in the near future, according to an updated HomePod section on the Apple India website.
The news of the HomePod's upcoming launch...
In a notable standalone sale that appeared this morning, MacMall is offering the Space Gray 11-inch 64GB iPad Pro with cellular support at $799.00, down from $949.00. MacMall offers free...
Best Buy has a new 24-hour flash sale that began this morning, with prices matching the lowest-ever deals on AirPods, iPad, and more. This sale will end tonight, January 29 at 11:59 p.m. CT, and the...
Further cementing its status as Nintendo's most successful mobile game to date, Fire Emblem Heroes has led Nintendo's race to the billion-dollar revenue mark on mobile (via Sensor Tower). The...
Apple will be opening an online Apple Store in India to start official online sales of iPhones, iPads, Macs, and more in the country starting in the third quarter of 2020, reports TechCrunch.
...
During the question and answer section of today's earnings call for the first fiscal quarter of 2020, Apple CEO Tim Cook was asked when he felt that people would feel the first impact of AR on...
Apple's services category, which includes iTunes, the App Store, the Mac App Store, Apple Music, Apple Pay, AppleCare, Apple TV+, Apple Arcade, and more, has become a significant revenue driver...
