'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.


Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Top Rated Comments

Tumbleweed666 Avatar
79 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
Score: 42 Votes (Like | Disagree)
mercuryjones Avatar
79 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Score: 37 Votes (Like | Disagree)
Shlooky Avatar
79 months ago
Moral to the story, never side load :)
Score: 36 Votes (Like | Disagree)
wxman2003 Avatar
79 months ago
So this basically affects stupid people who click on links to sideload apps.
Score: 24 Votes (Like | Disagree)
centauratlas Avatar
79 months ago

...the vulnerability on July 26...


That is a very long time to not have a fix released.
Score: 17 Votes (Like | Disagree)
TheBuffather Avatar
79 months ago
This is a pretty legit vulnerability. Cunning.
Score: 15 Votes (Like | Disagree)

Top Stories

apple briefcase

AppleCare Memo Hints at Potential Hardware Announcement Next Tuesday

Thursday December 3, 2020 9:12 am PST by
Following a busy fall season in which Apple hosted three events in as many months, the company may have one more product announcement in store this year. In an internal memo this week, obtained by MacRumors from a reliable source, Apple informed service providers that it has AppleCare-related changes planned for Tuesday, December 8 at approximately 5:30 a.m. Pacific Time. Specifically, Apple ...
apple top apps games 2020

Apple Shares Top 20 Most Downloaded Games and Apps of 2020

Tuesday December 1, 2020 9:38 pm PST by
Alongside picks for the top iPhone, iPad, and Mac apps and games of the year, Apple today shared charts featuring the Top Games of 2020 and the Top Apps of 2020, revealing the most popular free and paid apps and games during the year. Among Us! was the top free game of 2020, followed by Call of Duty: Mobile, Roblox, and Subway Surfers. Ink Inc. Tattoo Drawing was the number four free app,...
homepod mini amazon echo size

$99 Speaker Showdown: HomePod Mini vs. Amazon Echo and Google Nest Audio

Wednesday December 2, 2020 3:12 pm PST by
Apple recently released the HomePod mini, a new $99 version of the original HomePod that's smaller, cuter, and, most importantly, competitively priced. At $99, the HomePod mini can better compete with affordable smart speakers from companies like Google and Amazon. Subscribe to the MacRumors YouTube channel for more videos. The HomePod mini has been praised for its high-quality sound at its...
iphone8guide b

iOS 14.2 Quietly Added FaceTime 1080p Support to iPhone 8 and Later Models

Wednesday December 2, 2020 3:21 am PST by
Back in early November, Apple released iOS 14.2 and announced with it a slew of new features for iPhones, but one thing it didn't mention was the apparent addition of support for 1080p FaceTime calls on iPhone 8 and later devices. The little-known fact was discovered by MacMagazine, which found that Apple quietly updated the specs pages for devices like iPhone XR shortly after the release of ...
16 inch MBP Mini Led

Kuo: Two Redesigned MacBook Pros in 2021 and New MacBook Air in 2022, All With Apple Silicon and Mini-LED Displays

Wednesday December 2, 2020 5:46 am PST by
Apple plans to release two redesigned MacBook Pros in 2021 and a new MacBook Air in 2022, all with mini-LED displays and Apple Silicon chips, according to TFI Securities analyst Ming-Chi Kuo. In a research note to investors, seen by MacRumors, Kuo explained that two new MacBook Pro models equipped with an all-new form factor design are expected to launch in 2021, and a new "affordable"...
iOS 14

Apple Releases Third Betas of iOS 14.3 and iPadOS 14.3 to Developers [Update: Public Beta Available]

Wednesday December 2, 2020 10:04 am PST by
Apple today seeded the third betas of upcoming iOS 14.3 and iPadOS 14.3 updates to developers for testing purposes, two weeks after releasing the second betas and a month after the launch of iOS and iPadOS 14.2. iOS and iPadOS 14.3 can be downloaded through the Apple Developer Center or over the air after the proper developer profile has been installed. The iOS 14.3 update brings the...
best apps of 2020

Wakeout! Named Apple's Best App of 2020, While Zoom Earns the Title for Best iPad App

Tuesday December 1, 2020 9:26 pm PST by
Apple today shared its App Store Best of 2020 winners, highlighting its picks for the top iOS, iPadOS, and macOS apps and games released over the course of the year. Apple's iPhone App of the Year award went to Wakeout!, which is a family friendly exercise and movement app that encourages people to complete easy exercises while at home. Apple's iPad App of the Year was Zoom, which soared in...
wristcam design

$299 'Wristcam' Adds a Pair of Cameras to Your Apple Watch

Thursday December 3, 2020 9:32 am PST by
The Apple Watch has never included a camera, likely due to battery life and space concerns. A new Apple Watch product aims to address that lack by introducing a wrist-worn camera that works with the Apple Watch. The Apple-certified Wristcam attaches to the Apple Watch in the form of a band that adds a rather large camera set to the top of the Apple Watch. It's quite thick and bulky, but can...
iphone 12 5g

Multiple iPhone 12 Users Report Sudden Drops in 5G and LTE Cellular Coverage

Thursday December 3, 2020 1:18 am PST by
Since Apple launched the iPhone 12 in October, an increasing number of users of the new smartphone have been reporting persistent drops in cellular coverage. Multiple reports of dropped 5G and LTE connectivity have appeared on Reddit, on Apple's support forums, and on the MacRumors forums, with many people suffering issues when walking or in transit and some seeing the same problem when...
magsafe duo charger

MagSafe Duo Charger for iPhone 12 and Apple Watch Now Available for Purchase

Tuesday December 1, 2020 4:15 pm PST by
Apple today began selling the MagSafe Duo Charger that was announced alongside the new iPhone 12 models back in October. Priced at $129, the MagSafe Duo offers a MagSafe charging puck for the iPhone 12, 12 Pro, 12 Pro Max, and 12 mini, along with an Apple Watch charger. Though the accessory was announced in October and was listed as coming soon, it was not clear when it would launch. Orders...