'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.


Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Top Rated Comments

Tumbleweed666 Avatar
103 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
Score: 42 Votes (Like | Disagree)
mercuryjones Avatar
103 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Score: 37 Votes (Like | Disagree)
Shlooky Avatar
103 months ago
Moral to the story, never side load :)
Score: 36 Votes (Like | Disagree)
wxman2003 Avatar
103 months ago
So this basically affects stupid people who click on links to sideload apps.
Score: 24 Votes (Like | Disagree)
centauratlas Avatar
103 months ago
...the vulnerability on July 26...

That is a very long time to not have a fix released.
Score: 17 Votes (Like | Disagree)
TheBuffather Avatar
103 months ago
This is a pretty legit vulnerability. Cunning.
Score: 15 Votes (Like | Disagree)

Popular Stories

iphone 14 pro max vs 13 max 2

Camera Comparison: iPhone 14 Pro Max vs. iPhone 13 Pro Max

Thursday September 29, 2022 7:44 am PDT by
The iPhone 14 Pro and Pro Max introduce some major improvements in camera technology, adding a 48-megapixel lens and low-light improvements across all lenses with the new Photonic Engine. We've spent the last week working on an in-depth comparison that pits the new iPhone 14 Pro Max against the prior-generation iPhone 13 Pro Max to see just how much better the iPhone 14 Pro Max can be. Subscrib ...
maxresdefault

Apple Responds to Video Testing Crash Detection Feature With Junkyard Vehicles

Friday September 30, 2022 9:11 am PDT by
The Wall Street Journal's Joanna Stern recently traveled to Michigan to test Apple's new crash detection feature on the iPhone 14 and Apple Watch Ultra. In response, Apple provided some additional information about how the feature works. Stern recruited Michael Barabe to crash his demolition derby car with a heavy-duty steel frame into two unoccupied vehicles parked in a junkyard — a 2003...
iphone 14 iphone 14 plus in hand feature

iPhone 14 Is Secretly Hiding a Beloved Mac Feature

Friday September 30, 2022 3:24 am PDT by
The iPhone 14 and iPhone 14 Pro models bring over a longstanding Mac feature, but the setting to enable it is off by default. The feature, which is actually a new accessibility option, allows the iPhone to play a startup chime like the Mac. When enabled, the sound comes alongside a new shutdown chime. The Mac has featured a startup chime since 1987's Macintosh II, and the iconic "bong"...
adaptive transparency airpods pro

iOS 16.1 Beta Brings Adaptive Transparency to Original AirPods Pro

Thursday September 29, 2022 1:08 pm PDT by
The third beta of iOS 16.1 that was released earlier this week expands the Adaptive Transparency feature introduced with the second-generation AirPods Pro to the original AirPods Pro. As noted on Reddit, first-generation AirPods Pro owners who also have the AirPods beta software will now see an "Adaptive Transparency" toggle in the AirPods section of the Settings app. The 5A304A beta...
iOS 16 Wallpaper Spectrum Feature

Five Wallpaper Apps to Check Out for iOS 16's New Lock Screen Depth Effect

Thursday September 29, 2022 9:08 am PDT by
One of the biggest new features in iOS 16 is a completely redesigned iPhone Lock Screen. The new Lock Screen is entirely customizable, letting you change the colors and fonts, add widgets and new wallpapers, and more to make your iPhone uniquely yours. Of course, even before iOS 16, you could customize your Lock Screen with a wallpaper of your choice. iOS 16 takes the Lock Screen wallpaper...
tony blevins car

Apple Procurement VP Departs Company After Vulgar TikTok Comment

Thursday September 29, 2022 12:38 pm PDT by
Tony Blevins, Apple's vice president of procurement, is set to depart the company after he made a crude comment about his profession in a recent TikTok video, reports Bloomberg. Blevins was in a video by TikTok creator Daniel Mac, who was doing a series on the jobs of people he spotted with expensive cars. After seeing Blevins in an expensive Mercedes-Benz SLR McLaren, Mac asked Blevins what ...
tim cook malala

Tim Cook: Not Too Long From Now, You'll Wonder How You Led Your Life Without AR

Thursday September 29, 2022 7:26 am PDT by
Speaking at Università Degli Studi di Napoli Federico II in Naples, Italy, Apple CEO Tim Cook said that not too long from today, people will wonder how they led a life without augmented reality, stressing the "profound" impact it will have on the not so distant future. At the university, Cook was awarded an Honorary Degree in Innovation and International Management and also sat down for a...
Hero0005

Best Apple Deals of the Week: M2 MacBook Air Hits New All-Time Low Price at $1,049, Plus Sales on AirPods Pro and More

Friday September 30, 2022 9:05 am PDT by
This week's best Apple deals focus on the AirPods Pro, AirPods Pro 2, and M2 MacBook Air, including numerous all-time low prices on these devices. You'll also find up to 50 percent off discounts on Anker and Eufy accessories on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us...
zuckerberg metaverse

Apple CEO Tim Cook: 'I'm Not Really Sure the Average Person Can Tell You What the Metaverse Is'

Friday September 30, 2022 12:51 pm PDT by
Apple CEO Tim Cook has been touring Europe this week, sitting down for interviews with various media publications. Augmented reality has been a running theme in Cook's discussions, and it is a topic he brought up again in an interview with Dutch publication Bright, which is part of RTL News. "I think AR is a profound technology that will affect everything," Cook said, echoing comments from...
ipad pro m1 feature

Gurman: Apple Event This October Remains Unlikely, No Touch ID for iPhone 15

Sunday October 2, 2022 6:41 am PDT by
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month. In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...