A new attack can replace a genuine iOS app with one with malicious intent.
The ‘Masque Attack’ is an iOS app installed using enterprise or ad-hoc provisioning that could replace another genuine app installed through the App Store if both applications used the same bundle identifier, said researchers at FireEye.
The vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, FireEye researchers said in a blog post.
Once the victim installs the malicious app, the illegitimate application will replace the genuine one, the researchers said. The only apps that appear unaffected by the issue are pre-installed applications such as Mobile Safari. The attacker can leverage this issue both wirelessly and through USB, researchers said.
“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” FireEye researchers said.
“Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
The vulnerability has been verified by FireEye on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta on both jailbroken and non-jailbroken devices. Researchers said they notified Apple July 26. They also said they have seen proof the issue is starting to circulate.
Among other actions, an attacker could mimic the original app’s login interface and steal a victim’s credentials. The researchers also found because data under the original app’s directory remained in the malware local directory after the original app ended up replaced, the malware can steal sensitive data. In addition, the attacker can also use Masque Attacks to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.
“We disclosed this vulnerability to Apple in July,” FireEye researchers said in the blog. “Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”
The firm recommends users don’t install apps from third-party sources other than Apple’s official App store or the user’s organization. Also, avoid clicking install on a pop-up from a third-party webpage, and be wary of any app that triggers an ‘Untrusted App Developer’ alert from iOS.
“To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings – > General -> Profiles” for “PROVISIONING PROFILES”,” FireEye researchers said. “iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps.”