Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,543
30,851



Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.

Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
Click to expand...
FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Article Link: 'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps
 
Article Link
https://www.macrumors.com/2014/11/10/masque-attack-ios-vulnerability/
LordQ

LordQ

Suspended
Sep 22, 2012
3,582
5,653
I like when this vulnerabilities get discovered when we know Apple is nearing an iOS update (8.1.1 this time) because we get more fixes :)
 
M

mercuryjones

macrumors 6502a
May 31, 2005
786
0
College Station, TX
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
 
Tumbleweed666

Tumbleweed666

macrumors 68000
Mar 20, 2009
1,761
141
Near London, UK.
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
 
OldSchoolMacGuy

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
This isn't some big security hole. Quit acting like it's a huge deal other than for those that are too stupid for their own good. If you're an idiot and install unconfirmed profiles, that's your own fault. It's no different than asking you for your computer password and then being surprised when someone installs what they want with the password you've just given them. You've been able to do this on iOS for years.

This is also how you can install any apps you want. Been utilizing it for years. This is how many companies load their own internal apps on to their employee devices without having to have them approved by the App Store.
 
57004

57004

Cancelled
Aug 18, 2005
1,022
341
Yeah I'd already noticed the profiles list was gone on iOS 8 :( I wonder why Apple removed this?? It certainly doesn't make it any more secure.
 
ChazSch

ChazSch

macrumors 6502
May 7, 2014
411
440
Rancho Santa Margarita, CA
The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store,


uh.....duh!!
 
X

X-X

macrumors 6502
Aug 22, 2014
401
9
And Apple couldn't fix that GIANT hole in almost half a year?

Wow. Slackers.
 
Traverse

Traverse

macrumors 604
Mar 11, 2013
7,688
4,400
Here
Hmmm, these malicious users are crafty and must really have time on there hands to come up with these workarounds.

Still, I delete spam messages, don't open strange emails, and never click ads on any webpage so I'll roll the dice and keep using my iOS devices. ;)
 
A

Alenore

macrumors 6502
Apr 7, 2013
423
426
mercuryjones said:
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Click to expand...

An SMS or something else. It wouldn't be too hard, if you targeted someone specific, to send a well-made email to that person showing his friend, boss, ... address or something, or even hide behind an address like it@company.com requesting all users to update an app.
A "huge" vulnerability doesn't mean it can affect absolutely everyone.


wxman2003 said:
So this basically affects stupid people who click on links to sideload apps.
Click to expand...

Which is how a few app in the business world are installed, like from private app stores. and this isn't being stupid, this is doing what your company request you to do :rolleyes:
 
JoEw

JoEw

macrumors 68000
Nov 29, 2009
1,583
1,291
No doubt it is a huge vulnerability, but I think if you are not smart enough to install your apps from the app store... sucks for you :cool:
But really Apple needs to get this fixed ASAP, also july 26? I suppose Apple sees this as low priority.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom