Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS Security Issue Allows Attackers to Swap Good Apps for Bad Ones: FireEye

Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine app with another.

Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine app with another.

The researchers have dubbed it the ‘Masque Attack‘. In July, the FireEye mobile security team discovered that an iOS app installed using enterprise or ad-hoc provisioning could replace another genuine app installed through the App Store if both applications used the same bundle identifier. The vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, according to the firm.

Once the victim is enticed into installing the malicious app, FireEye researchers explained, the illegitimate application will replace the genuine one. The only apps that appear to be unaffected by the issue are pre-installed applications such as Mobile Safari. According to FireEye, the attacker can leverage this issue both wirelessly and through USB.  

“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” the FireEye researchers blogged. “Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

The vulnerability has been verified by FireEye on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta on both jailbroken and non-jailbroken devices. Researchers stated that they notified Apple July 26, and added that they have seen proof the issue is starting to circulate. Apple did not respond immediately to a SecurityWeek request for comment.

Among other actions, an attacker could mimic the original app’s login interface and steal a victim’s credentials. The researchers also found that because data under the original app’s directory remained in the malware local directory after the original app was replaced, the malware can steal sensitive data. In addition, the attacker can also use Masque Attacks to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.

“We disclosed this vulnerability to Apple in July,” according to FireEye. “Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”

The firm recommends users don’t install apps from third-party sources other than Apple’s official App store or the user’s organization. Also, avoid clicking install on a pop-up from a third-party webpage, and be wary of any app that triggers a ‘Untrusted App Developer’ alert from iOS.

“To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings – > General -> Profiles” for “PROVISIONING PROFILES”,” according to FireEye. “iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.