Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine app with another.
The researchers have dubbed it the ‘Masque Attack‘. In July, the FireEye mobile security team discovered that an iOS app installed using enterprise or ad-hoc provisioning could replace another genuine app installed through the App Store if both applications used the same bundle identifier. The vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, according to the firm.
Once the victim is enticed into installing the malicious app, FireEye researchers explained, the illegitimate application will replace the genuine one. The only apps that appear to be unaffected by the issue are pre-installed applications such as Mobile Safari. According to FireEye, the attacker can leverage this issue both wirelessly and through USB.
“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” the FireEye researchers blogged. “Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
The vulnerability has been verified by FireEye on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta on both jailbroken and non-jailbroken devices. Researchers stated that they notified Apple July 26, and added that they have seen proof the issue is starting to circulate. Apple did not respond immediately to a SecurityWeek request for comment.
Among other actions, an attacker could mimic the original app’s login interface and steal a victim’s credentials. The researchers also found that because data under the original app’s directory remained in the malware local directory after the original app was replaced, the malware can steal sensitive data. In addition, the attacker can also use Masque Attacks to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.
“We disclosed this vulnerability to Apple in July,” according to FireEye. “Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”
The firm recommends users don’t install apps from third-party sources other than Apple’s official App store or the user’s organization. Also, avoid clicking install on a pop-up from a third-party webpage, and be wary of any app that triggers a ‘Untrusted App Developer’ alert from iOS.
“To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings – > General -> Profiles” for “PROVISIONING PROFILES”,” according to FireEye. “iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps.”
