"Hey Siri" support and possibly wireless charging case alongside AirPower charging mat.
'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.
Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.
As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."
While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.
Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.
As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."
While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.
iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.
[ 360 comments ]
Top Rated Comments
(View all)
55 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------
Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
------------
Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
55 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
55 months ago
So this basically affects stupid people who click on links to sideload apps.
55 months ago
...the vulnerability on July 26...
That is a very long time to not have a fix released.
55 months ago
That is a very long time to not have a fix released.
No kidding. Too busy with Sapphire Furnaces. :mad:
55 months ago
This isn't some big security hole. Quit acting like it's a huge deal other than for those that are too stupid for their own good. If you're an idiot and install unconfirmed profiles, that's your own fault. It's no different than asking you for your computer password and then being surprised when someone installs what they want with the password you've just given them. You've been able to do this on iOS for years.
This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
55 months ago
I'll repeat this - the bigger issue is that this security hole exists and that apps can be overwritten.
Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
[ Read All Comments ]
Amazon and Best Buy today kicked off new discounts for the 2017 10.5-inch iPad Pro, which include a new low price for the 64GB version at $499.99, down from $649.99. You can find every iPad...
California-based company Lexani Motorcars today unveiled its latest vehicle conversion, the 2019 Cadillac Escalade Viceroy Edition.
The hyper-luxury vehicle is equipped with a wide variety of...
Like it did last year, Apple in February will host an internal activity challenge for its employees around the world, tasking them with closing all three Apple Watch Activity rings every day for the...
Spotify will soon launch a "don't play this artist" feature in its iOS app, which will allow subscribers to block an entire artist from playing across the app (via The Verge). This means...
Apple today announced that its Everyone Can Create curriculum is now available in German, French, Spanish, and Italian on Apple Books. The free creative guides will also be available in Swedish and...
Google is currently rolling out support for road speed limits and speed traps in its navigation app, Google Maps.
When drivers are using the app, the speed limit feature shows the speed limit of...
When an over-the-air iOS update starts downloading on your iPhone or iPad, you can monitor its progress in the Settings app via General -> Software Update.
The lack of a cancel option on...
Apple doesn't have an official method for individually locking sensitive apps like Photos with a passcode, but luckily there's a workaround that was introduced in iOS 12 with Screen Time.
...
