Masque Attack : Your iPhone Apps may actually be malwares

Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine App with another malware laden one. The FireEye researchers have named this new attack as ‘Masque Attack’.

In July, the FireEye mobile security team discovered that an iOS app installed using enterprise or ad-hoc provisioning could replace another genuine app installed through the App Store if both applications used the same bundle identifier. The vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, according to the firm.

In an example of how an attack would work, FireEye sent a link to a test case user inviting them to download a new Flappy Bird update. When the person clicked the link, they unknowingly downloaded a hacked update to the legitimate Gmail app.
The hacked Gmail app could look identical to the real thing but can send a copy of the users confidential email to a third party without users knowledge.

FireEye says the same technique could be used to dupe people into uploading malicious versions of banking apps, that forward financial details including passwords to the hacker.

How does Masque work?

Once the victim is enticed into installing the malicious app, FireEye researchers explained, the illegitimate application will replace the genuine one. FireEye says the only pre-install apps like Mobile Safari are unaffected by this issue. According to FireEye, the attacker can leverage this issue both wirelessly and through USB.

“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” the FireEye researchers blogged. “Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

All Apple iOS devices affected

The vulnerability has been verified by FireEye on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta on both jailbroken and non-jailbroken devices. FireEye said they had notified Apple on July 26 2014 but Apple had not responded immediately. FireEye said that they had seen the Masque being exploited in the wild.

“Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”

Precautions against Masque attack

To avoid the threat, FireEye says there are three rules every iPhone and iPad users should follow:

  1. Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organisation.
  2. Don’t click “Install” on a pop-up from a third-party web page.
  3. When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.

While the whole internet is going gaga over the masque attack, Apple has so far neither accepted nor denied the vulnerability.


Please enter your comment!
Please enter your name here