In the wake of the discovery of an iOS security hole dubbed as Masque Attack, which has the ability to replace existing legitimate apps with malicious clones, Apple has officially commented about the issue on Thursday, in a statement to iMore:
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
The Masque Attack works by convincing a user to install an app from outside of the iOS App Store by clicking a link from a mail or text message. The user is then taken to a website where they’re prompted to download the app, which will then install the malicious app over the legitimate code. The malware uses iOS enterprise provisioning profiles, making it virtually undetectable.
United States Government Warns Users of Masque Attack
Also on Thursday, the United States government issued a warning about Masque Attack, informing iOS users of the vulnerability.
The bulletin was sent by the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams, and outlined how Masque Attack spreads, and also outlined what a malicious app is capable of doing on a user’s device.
An app installed on an iOS device using this technique may:
- Mimic the original app’s login interface to steal the victim’s login credentials.
- Access sensitive data from local data caches.
- Perform background monitoring of the user’s device.
- Gain root privileges to the iOS device.
- Be indistinguishable from a genuine app.
The Masque Attack was discovered just a week after another vulnerability, “WireLurker,” surfaced. WireLurker can infect an iOS device via OS X through a USB cable.
Both vulnerabilities can be easily avoided by the average user simply staying away from, and not installing suspicious apps, and by only installing apps from the official iOS and Mac App Stores.