According to security research firm FireEye, a new flaw it calls Masque Attack installs malicious apps that replace official third-party apps on iOS devices and could be used to mine those devices for private information.
The attack could start with an innocent looking text message that lures users to install an app. In its demo of the attack, the phishing text message offers a new version of Flappy Bird. But instead of a game, the malicious app installs itself over a currently installed app. For example, it could replace the Google Mail app. When it does this, it retains and uploads the data inside the original app. By recreating the UI of the original app, the malicious app can continue to mine the iPhone for data without the users knowledge.
Here is a video demo of the Masque Attack in action:
The attack utilizes iOS’s enterprise provision profiles. The profiles allow IT departments to develop and deploy apps without using Apple’s App Store. Developers also using the provision profiles to deploy betas of apps to users.
In additional to using the provisioning profiles to gain access to the device, the attack uses the same “bundle identifiers” to replace apps. The bundle identifier is the unique string that identifies an app to a device. By using the same string in a malicious app, the device is unable to tell that the original app has been replaced.
The attack is unable to replace and spoof default apps that ship with iOS like Safari, Mail and Stocks, so hackers will use it to target third-party apps.
According to FireEye, even after restart, the malicious app continues to operate.
FireEye has been able to reproduce the attack on iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta. The company says it informed Apple of the vulnerability in July.
FireEye has posted ways to protect yourself and your data from the attack:
Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately
Update: Apple responds.
➤ Masque Attack: All Your iOS Apps Belong to Us [FireEye]