Categories: CyberCrimeSecurity

Hackers Are Now Demolishing, Breaking and Hijacking Apple’s iOS

Security firm FireEye has disclosed details of two new ways in which hackers can secretly switch your legitimate iOS apps with dangerous, fake ones.

Apple has patched numerous vulnerabilities in its recent release of iOS 8.4, including flaws that allow attackers to deploy these new kinds of attacks.

Malicious apps

These specific types of attacks are dubbed Masque Attacks by FireEye – attacks that allow malicious apps to replace existing, legitimate ones on an iOS device via SMS, email, or web browsing.

The new Masque Attacks are being called Manifest Masque and Extension Masque.

Manifest Masque gives an attacker the ability to replace the built-in apps on iOS (such as Apple Pay, Apple Watch, FaceTime) as well as App Store apps. Extension Masque, which allows for attackers to gain access to the data of other app which are containerised for security.

In a recent blog, FireEye has also disclosed the details of a previously fixed, but undisclosed, masque vulnerability: Plugin Masque, which bypasses iOS entitlement enforcement and hijacks VPN traffic.

An investigation conducted by FireEye has found that around one third of iOS devices still have not updated to versions 8.1.3 or above, even 5 months after the release of 8.1.3, and these devices are still vulnerable to all the Masque Attacks. To date, FireEye has disclosed details of five kinds of Masque Attacks.

FireEye’s blog stated: “Although Apple has fixed or partially fixed the original Masque Attack on iOS 8.1.3, there are still other attack surfaces to exploit vulnerabilities in the installation process on iOS.

It added: “Moreover, around one third of iOS devices that we monitored are still vulnerable to all the Masque Attacks because they have not been upgraded. We suggest that all iOS users keep their devices up-to-date.”

How much do you know about mobile apps? Take our quiz!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago