Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS Security Issue Allows Attackers to Swap Good Apps for Bad Ones: FireEye

Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine app with another.

Researchers at FireEye identified a new attack that can be used by attackers to replace a genuine app with another.

The researchers have dubbed it the ‘Masque Attack‘. In July, the FireEye mobile security team discovered that an iOS app installed using enterprise or ad-hoc provisioning could replace another genuine app installed through the App Store if both applications used the same bundle identifier. The vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier, according to the firm.

Once the victim is enticed into installing the malicious app, FireEye researchers explained, the illegitimate application will replace the genuine one. The only apps that appear to be unaffected by the issue are pre-installed applications such as Mobile Safari. According to FireEye, the attacker can leverage this issue both wirelessly and through USB.  

“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” the FireEye researchers blogged. “Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

The vulnerability has been verified by FireEye on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta on both jailbroken and non-jailbroken devices. Researchers stated that they notified Apple July 26, and added that they have seen proof the issue is starting to circulate. Apple did not respond immediately to a SecurityWeek request for comment.

Among other actions, an attacker could mimic the original app’s login interface and steal a victim’s credentials. The researchers also found that because data under the original app’s directory remained in the malware local directory after the original app was replaced, the malware can steal sensitive data. In addition, the attacker can also use Masque Attacks to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.

“We disclosed this vulnerability to Apple in July,” according to FireEye. “Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”

The firm recommends users don’t install apps from third-party sources other than Apple’s official App store or the user’s organization. Also, avoid clicking install on a pop-up from a third-party webpage, and be wary of any app that triggers a ‘Untrusted App Developer’ alert from iOS.

Advertisement. Scroll to continue reading.

“To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings – > General -> Profiles” for “PROVISIONING PROFILES”,” according to FireEye. “iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Cloud networking firm Aviatrix has named John Qian as CISO.

CrowdStrike has appointed Kartik Shahani as vice president of India and SAARC.

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

More People On The Move

Expert Insights