Security researchers have uncovered an attack affecting most iOS devices that could allow a malicious mobile application to disguise itself as legitimate software in order to steal security details or other data.
Researchers at FireEye said the “Masque Attack” relies on a shortcoming in the enterprise/ad hoc provisioning feature in iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices, meaning it works on about 95 percent of all iOS devices.
Enterprise provisioning profiles allow developers to create software that can be installed on any iOS device without going through the official Apple App Store, and are typically used by organisations creating in-house apps for their users.
FireEye said that iOS doesn’t ensure that apps using the same enterprise bundle identifier use matching security certificates. This means that, for instance, a malicious app using the bundle identifier com.google.Gmail, but signed using a non-Google enterprise certificate, can replace the genuine Gmail app, and iOS would not be able to distinguish the replacement from the original.
“An iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier,” researchers said.
The malicious app can use a user interface identical to the original, allowing it to steal data such as login credentials when the user tries to sign into a bank account or other service. It can also access the original app’s local data, which may include cached emails or login tokens.
In a video, FireEye demonstrated a user installing an in-house app called “New Flappy Bird” on an iPhone; when installed, the app replaced Gmail and automatically uploaded cached emails and attachments to a remote server. When launched, the replacement app automatically logged into Gmail, giving it access to the user’s future communications.
“Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet,” FireEye said. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI.”
Masque attacks can be carried out over either Wi-Fi or USB. Aside from the issues already mentioned, malicious apps, once installed, can exploit other vulnerabilities to gain access to data stored on the device..The attack depends upon a user installing an app from an unknown source, but malicious apps may use attractive titles to encourage people to install.
The issue was discovered in July, and FireEye said it contacted Apple at the time, and believes Apple is working on a fix.
More recently, the security firm said it has seen indications the issue is starting to be used in targeted attacks, and may spread more broadly in the near future.
“In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors,” it said.
FireEye added users can protect themselves by installing apps only from the Apple Store or from their own organisation. iOS 7 users can review the enterprise provisioning profiles of the software installed on their devices to spot what might be phony apps, but iOS 8 doesn’t display profiles for software already installed.
“Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”
Earlier this month Palo Alto Networks reported discovering malware called WireLurker that is actively targeting users in China. The malware is unusual in that, like the Masque Attack, it can affect non-jailbroken handsets.
The issues arise as Apple is pushing to increase its presence in the enterprise, having recently agreed a deal with IBM targeting corporate sales of iPhones and iPads.
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…