Mobile security researchers at FireEye say they have discovered an iOS security hole that allows attackers to replace your real apps with malware.
The vulnerability was discovered in July 2014. FireEye found that when installing an app using enterprise/ad-hock provisioning, it could replace a genuine app if it had the same bundle identifier. The app could display any title it wanted during installation, ie. “New Flappy Bird”, but once installed it can replace any app except Apple’s default preinstalled ones. This means that it could replace your banking apps or your email app, stealing personal information.
FireEye researchers say they’ve verified the vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The attack works via either wireless networks or USB and has been named “Masque Attack.”
FireEye says it notified Apple of the vulnerability on July 26th. In the meantime, the recently discovered “WireLurker” malware has used a limited for of the Masque Attack to infect iOS devices via USB.
The video below demonstrates how the malicious code can be installed on a user’s iPhone.
Security Impacts of The Masque Attack
An attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. While Masque Attack can’t replace Apple’s own built-in apps such as Safari, it can replace apps installed from app store.
Masque Attack has severe security consequences:
- Attackers could mimic the original app’s login interface to steal the victim’s login credentials.
- Data under the original app’s directory, such as local data caches, remains in the malware local directory after the original app is replaced. The malware can steal this sensitive data. FireEye has confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to a remote server.
- The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
- Apps distributed using enterprise provisioning profiles (which FireEye calls “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring, and mimic iCloud’s UI to steal the user’s Apple ID and password.
- The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.
iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
- Don’t click “Install” on a pop-up from a third-party web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately
To check whether there are apps already installed through Masque Attacks, FireEye says iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings” -> “General” -> “Profiles” for “PROVISIONING PROFILES”.
iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and FireEye suggests taking extra caution when installing apps.
Apple has yet to address the FireEye report, we’ll keep you posted on developments.
