Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Traverse said:
I learned mine years ago, just before I became technically literate. I was on my old HP Compaq and went to dictionary.com in IE 6 or something and got a pop up that looked like a vista notification. I selected it and got a virus installed on my system.

Since that day I vowed to be technologically proficient. Now, years later, I'm the tech support guy in my family with multiple computers and OSes. :cool:

My how times have changed. That's when I decided to give OS X a shot and found I preferred over W7 and especially Vista. I like W8.1, but I still prefer OS X.
Click to expand...

Unfortunately I still have Windows 7 for business, all Mac OSX/iOS at home & personal.:apple::cool:
 
ksuyen said:
In fact, it has a name called "Jailbreaking". How it get installed is as important as it CAN be installed. Do it on your own risk. The moment an iPhone can't be jailbroken, is the moment when all of these problem vanish.
Click to expand...

Non-jailbroken iToys are also vulnerable to this.
 
ksuyen said:
In fact, it has a name called "Jailbreaking". How it get installed is as important as it CAN be installed. Do it on your own risk. The moment an iPhone can't be jailbroken, is the moment when all of these problem vanish.
Click to expand...
Jailbreaking has nothing to do with this...
 
trueluck3 said:
Yeah, the video fails to show that part. It only shows the phone after the certificate has been enrolled. Which leads me to believe they are either just getting this out to the enterprise community or, more likely than not, looking for attention. How can you leave out the biggest picture of all...you need to approve provisioning, with your passcode (if present). It's a very obvious (and ominous) process.

----------




...not to mention you need to also install a matching certificate on your device, prior to installing the app.
Click to expand...

I am confused, did you by chance use the word "ominous: when you wanted to use "onerous."
 
This is a scam too???

Waveapp.im

Got an email with a link that downloads the Wave email app to iOS that then that requires Google Mail login. Was to suspicious so didn't give my login.
Supposedly a new app by the creators of Seedmail

Email had my name and was offering a beta test place as a previous seed mail user, which I was.
 
Tech198 said:
ok, who left the door open .....

We're seeing an unusual wave of successful attacks in iOS recently, that shouldn't have happened....

Wireluker (like the name, don't play the game)

And now this one..

So just like the Mac, iOS is now becoming a target, we Apple fans were always high and mighty.

But, its also dump to even fall for scams in the first place... Posing as "Gmail" and/or update or new "Flappy birds" i bet would bit hundreds of users, since they've never learnt the ways of the force :cool:

Just don't turn to the darker side, and all should be fine.

Unfortunately, allot of people do, and Apple kind of put us there. Since iOS is easy to use, Apple takes care of the security, anyone can use an iPhone and know their safe, because Apple protects us... Users do not learn on their on, Why would they need to ?

And now we have this ...... See the mistake?

Security aside, users who by iPhones should learn to protect themselves, its no different than protecting your Windows/Mac (now we have some).

Its bad ya, but if users open every SMS without knowing if they know that person physically, then their on the road to hell.
Click to expand...

Wirelurker has been shut down in less then one week.

----------
Michaelgtrusa said:
My instincts are telling mr that they will find a way, but I hope you are right at least for now.
Click to expand...

Good luck trying to break Apple's own 256 bit encryptograms and cryptograms all over the SoC board, guarded by other locked down areas on the SoC board that is unreadable to anyone.

----------
macenied said:
Bye, bye malware and virus free Apple world. What the haters have now against Windows, the beloved "intuitive UI" or that "it just works" ? It does not.
Click to expand...

It is a pretty much malware free and virus free iOS world ;) there is essentially no chance at all of getting malware on your iOS device if you are careful and semi technologically literate and understanding, first of all i would never download or open anything from a fishy random SMS, and two I wouldnt download anything or "allow trust to anything" randomly that pops up on my screen if I didnt plug my device into something via USB, or from the Apple App store.
 
C DM said:
This is further shown in Apple's own documentation at https://developer.apple.com/library...html#//apple_ref/doc/uid/TP40012582-CH30-SW31 where the following is mentioned:

"Note: You rarely install a provisioning profile yourself because when you launch an app on a device, iOS and OS X automatically install the embedded provisioning profile in the app’s bundle on the device."
Click to expand...
I can confirm this. I recently re-installed a proprietary app from my employer after upgrading to iOS 8 and was not prompted to install a provisioning profile. Also, the profile that was installed is not visible in the settings, so there is no way for an end user to tell if they have one or not (short of using Xcode).

Besides installing a malicious app over an existing app and accessing all its private data, there are other risks involved, because enterprise apps don't go through Apple's review process,. This means they have a lot more freedoms than app store apps, e.g. using private APIs and abusing various design flaws and exploits that Apple could otherwise detect in the vetting process. The same company that reported about the masquerading exploit reported about this earlier. They described methods that e.g. allowed the app to intercept incoming texts and monitor user input even in other apps (some of the exploits have been fixed since):

https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell
 
You want a secure mobile OS or new gradient colors for icons? Can have both of them, guess which one Jony & Craig picked …

Sad
 
opfreak said:
lol all these apple fans dismissing this hack as minor, would be ripping on MS if it happened to them.

Most windows infections start this way. Some noob clicks on some link and installs something they shouldnt
Click to expand...

You have to accept 4 things from an untrusted source for this to work. Even as a malware its quite a strech that someone would install this on a whim since no other Apple app require the same.
 
C DM said:
Jailbreaking has nothing to do with this...
Click to expand...

The most common way a third party apps can be installed on your iPhone is that your phone must be jailbroken at the first place.

:rolleyes:
 
Last edited:
Rigby said:
I can confirm this. I recently re-installed a proprietary app from my employer after upgrading to iOS 8 and was not prompted to install a provisioning profile. Also, the profile that was installed is not visible in the settings, so there is no way for an end user to tell if they have one or not (short of using Xcode).

Besides installing a malicious app over an existing app and accessing all its private data, there are other risks involved, because enterprise apps don't go through Apple's review process,. This means they have a lot more freedoms than app store apps, e.g. using private APIs and abusing various design flaws and exploits that Apple could otherwise detect in the vetting process. The same company that reported about the masquerading exploit reported about this earlier. They described methods that e.g. allowed the app to intercept incoming texts and monitor user input even in other apps (some of the exploits have been fixed since):

https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell
Click to expand...

Didn't someone on this thread just confirm the profiles were visible? So, why would yours not be visible?
 
Tech198 said:
ok, who left the door open .....

We're seeing an unusual wave of successful attacks in iOS recently, that shouldn't have happened....

Wireluker (like the name, don't play the game)

And now this one..

So just like the Mac, iOS is now becoming a target, we Apple fans were always high and mighty.

But, its also dump to even fall for scams in the first place... Posing as "Gmail" and/or update or new "Flappy birds" i bet would bit hundreds of users, since they've never learnt the ways of the force :cool:

Just don't turn to the darker side, and all should be fine.

Unfortunately, allot of people do, and Apple kind of put us there. Since iOS is easy to use, Apple takes care of the security, anyone can use an iPhone and know their safe, because Apple protects us... Users do not learn on their on, Why would they need to ?

And now we have this ...... See the mistake?

Security aside, users who by iPhones should learn to protect themselves, its no different than protecting your Windows/Mac (now we have some).

Its bad ya, but if users open every SMS without knowing if they know that person physically, then their on the road to hell.
Click to expand...

You didn't do your homework on those things. Go back to google.
 
Keirasplace said:
This is a phishing type vulnerability. The vulnerability is more in the total idiocy of the people receiving those things.

It probably needs a fix, but one that will keep the original delivery channel they're using mostly intact.

Restricting this too tightly will create side problems since they are using a legitimate way to get in.

People authorizing malware installation on their desktops are the same.
Click to expand...

And I thought the cool part about iPhones was that even my grandma and her parrot could use one? Obviously there's people who'll fall for phishing.

However this is not a reason to have issues like "installing an application named X will replace an application named Y" (in this case "New Flappy Bird replacing "Gmail". I know, it's most likely because the bundle name is different) or "A new application can access the local storage of the previous one without more".
 
ksuyen said:
The most common way a third party apps can be installed on your iPhone is that your phone must be jailbroken at the first place.

:rolleyes:
Click to expand...
Sure...but none of that have to do with anything that is being discussed here. Do people even actually read the article and the thread they are participating in? :rolleyes:

----------
B4U said:
7.0.6 is off the hook? Great.
Click to expand...
Seems like it simply wasn't included in the testing, doesn't really mean it's off the hook or anything on particular (an most likely it's affected as well given the issue).
 
C DM said:
It's one of the answers there that I was linking to, basically the one that says the following:

"Apple views the exposure of the provisioning profile to users not using the dev tools as an unnecessary exposure. iOS should take care of provisioning automatically for the everyday user - removing them when expired, untrusting developers when their last app is uninstalled, etc. Any flow that requires a normal user to deal with provisioning profiles is now viewed as flawed. Provisioning profiles can still be managed by dev tools like Xcode or by device management systems like MDM. This philosophy is mentioned in WWDC 2014's talk on Managing Apple Devices around ~42 minutes in."

This is further shown in Apple's own documentation at https://developer.apple.com/library...html#//apple_ref/doc/uid/TP40012582-CH30-SW31 where the following is mentioned:

"Note: You rarely install a provisioning profile yourself because when you launch an app on a device, iOS and OS X automatically install the embedded provisioning profile in the app’s bundle on the device."
Click to expand...

Don't get me wrong, I sincerely appreciate what you're saying. But the first block you mention, is referring to why they removed the ability to view profiles on iOS. The second block, is referring to the use of Xcode, which I suppose you mean as an attack vector. But those management actions are executed while connected to USB, which is how WireLurker functions. This is a very different method than what the video purports, utilizing a single SMS with a web link - and poof the app is installed.

----------
nebo1ss said:
I am confused, did you by chance use the word "ominous: when you wanted to use "onerous."
Click to expand...
LoL, actually, I meant what I said. But "onerous" works quite well. :D

----------
Rigby said:
I can confirm this. I recently re-installed a proprietary app from my employer after upgrading to iOS 8 and was not prompted to install a provisioning profile. Also, the profile that was installed is not visible in the settings, so there is no way for an end user to tell if they have one or not (short of using Xcode).

Besides installing a malicious app over an existing app and accessing all its private data, there are other risks involved, because enterprise apps don't go through Apple's review process,. This means they have a lot more freedoms than app store apps, e.g. using private APIs and abusing various design flaws and exploits that Apple could otherwise detect in the vetting process. The same company that reported about the masquerading exploit reported about this earlier. They described methods that e.g. allowed the app to intercept incoming texts and monitor user input even in other apps (some of the exploits have been fixed since):

https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell
Click to expand...

Did you wipe the device, and install a clean iOS install, and NOT restore from backup, or an OTA?
 
What happens if you delete the Gmail app and download it again from the Apple Store? Is the malware gone?
I have never seen a prompt to update an app on the home screen. I only see the available updates when I launch the App Store and click the update tab and click the update button.
 
JosephAW said:
What happens if you delete the Gmail app and download it again from the Apple Store? Is the malware gone?
I have never seen a prompt to update an app on the home screen. I only see the available updates when I launch the App Store and click the update tab and click the update button.
Click to expand...

It depends on the malware's payload (what the bad guys put into the code). In this proof of concept, yes they can just delete it and install the original Gmail app from the AppStore.
 
trueluck3 said:
Don't get me wrong, I sincerely appreciate what you're saying. But the first block you mention, is referring to why they removed the ability to view profiles on iOS. The second block, is referring to the use of Xcode, which I suppose you mean as an attack vector. But those management actions are executed while connected to USB, which is how WireLurker functions. This is a very different method than what the video purports, utilizing a single SMS with a web link - and poof the app is installed.

----------


LoL, actually, I meant what I said. But "onerous" works quite well. :D

----------



Did you wipe the device, and install a clean iOS install, and NOT restore from backup, or an OTA?
Click to expand...
The first block also talks about them being installed on their own as well without interaction with the user or even any notification to the user, just as it talks about the user not having a way to see them or manage them (short of using Xcode). It talks about all aspects of profiles, not just removal/management, but also installation.

The second part from Apple talks about Xcode, but the part that's important there which is called out separately on its own, as I mentioned, is that profiles can be installed simply with the app as it gets installed (basically without any user interaction or even knowledge necessarily).

And, again, as I mentioned earlier, I have had personal experience with this just a week ago (which is how I came across these various articles/discussions about it)--with no profiles of any sort on my iOS 8.1 device I was able to install a beta application from a link in an email that installed the app with no prompts or references to any profiles or anything like that and then I was able to see the installed profiles (two of them got installed for that particular app) via Xcode as there was no way to do it on the device itself. So, that part of it all is definitely quite real.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back