Masque Attack, Replacing Genuine iOS Apps With Malware Apps.
Security firm FireEye has revealed that a security flow in iOS is making most iDevices vulnerable to cyber attacks. The flow allows hackers to replace genuine apps on the devices with malicious apps.
The flow discovered by FireEye in July 2014, allows an iOS app installed using enterprise/ad-hoc provisioning to replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.
The third party app may display an arbitrary title, a catchy name that are familiar to users. But after installation, the app can replace another genuine app as all apps can be replaced except iOS preinstalled apps, on an iOS device. The FireEye team has named the method, Masque Attack.
"This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack,""said the FireEye team. They are demonstrating the fact with the video below.
iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately.