Masque Attack II: Another major flaw has been detected in Apple iOS which can lead to data theft of the enterprise users.
In November 2014, researchers at Fire Eye, identified a “Masque Attack” that can be used by attackers to replace a genuine App with another malware laden one using SMS, email or web browsing. Apple seems to have fixed this issue in the iOS 8.1.3. Now, FireEye researchers have discovered a new but which can be doubly dangerous than Masque. Aptly named as Masque II by FireEye researchers, they have warned that this bug can be exploited to hack iPhones and iPads.
Masque II : Hijack of the URL
FireEye researchers have noted that Masque Attack II comprises of 2 parts:
a) Bypasses Prompt for Trust and,
b) URL Scheme Hijacking.
Hui Xue and his team of researchers have contended that iOS 8.1.3 is fortified against the “Prompt Bypass” and is still vulnerable against the “iOS URL scheme hijacking”.
We will try to understand this in simple terms.
1) Bypasses Prompt for Trust: Whenever user clicks on any link in SMS or any emails or even in Google Inbox; Apple iOS will launch the target enterprise-signed app without asking for user’s permission. Usually if user downloads a particular app from the App store for the first time then a prompt pops up asking for “Trust” or “Don’t Trust”. In this case since user has clicked for the link through URL scheme, the app will be directly downloaded without the prompt.
In the cases that FireEye studied, even though user had earlier clearly said “Don’t Trust” to some untrusted app, iOS ignored the prompt and downloaded the app. Fire Eye has brought this issue to the notice of Apple.
According to FireEye’s article: “An attacker can leverage this issue to launch an app containing a Masque Attack. Hijackers can distribute an enterprise-signed malware that registers app URL schemes identical to the ones used by legitimate popular apps and thus hijack legitimate apps’ URL schemes and mimic their UI to carry out phishing attacks, e.g. stealing the log in credentials”. Apple iOS cannot protect its users against this because the attack would be at the prompt level.
2) URL Scheme Hijacking: This is more of a feature issue than the malware attack. It was seen that Apple iOS allows apps from different developers to share the same URL schemes. Again as per the researchers at FireEye: “Attackers can either publish an “aggressive” app into the App Store, or craft and distribute an enterprise-signed/ad-hoc malware that registers app URL schemes identical to the ones of legitimate popular apps. Through this, attackers can mimic a legitimate app’s UI to carry out phishing attacks to steal login credentials or gather data intended to be shared between two trusted apps.” Now this in simplified terms means that the users may end up downloading malicious app as per hijackers intention instead of the legitimate one which may than steal personal and financial information of the iPhone/iPad user.
According to the FireEye team of Messieurs Hui Xue, Zhaofeng Chen, Song Jin, Yulong Zhang and Tao Wei, iPhone and iPad users need to be more careful against the Masque Attack II as it has not been mitigated yet.
Probable remedy suggested to the Apple iOS users :
- Update their device to 8.1.3 version ASAP
- Whenever users get any link in SMS or Emails or some website then be careful as it may download malwares.
FireEye says it disclosed the vulnerability publicly as Apple chose to ignore their private disclosure. You can see the Proof-of-Concept video below :