Researchers at FireEye on Monday made public the existence of the Masque Attack, which threatens iOS and Mac OS X operating systems.
Their report comes one week after Palo Alto Networks reported its discovery of WireLurker.
Masque Attack exploits a flaw in Apple’s OSes that allows the replacement of one app by another so long as both apps use the same bundle identifier.
All apps, except those preinstalled on iOS, such as Mobile Safari, can be replaced. The fake apps can access the original app’s local data, including log-in tokens.
Among other things, they let attackers log into and loot victims’ bank accounts.
The attacks work because iOS does not enforce matching certificates for apps with the same bundle identifier.
FireEye researchers verified the vulnerability on both jailbroken and regular iOS devices on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta.
Attackers can leverage the vulnerability through wireless networks or USB ports.
“Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks,” said FireEye researchers Hui Xue, Tao Wei and Yulong Zhang in a blog post.
The Masque Attack tricks victims into installing malicious apps that have attractive names such as “New Angry Bird.”
Users are exposed when they download apps from third-party app stores or corporate app stores, ignore the “Untrusted App” warning that pops up when such an app is opened, jailbreak their iOS devices — or set the “Gatekeeping” feature on their Macs to “Anywhere,” nullifying its protection.
WireLurker uses a limited form of the Masque Attack to hit iOS devices through their USB ports, FireEye’s researchers said.
“For WireLurker to deliver its payload, the user must install untrusted applications on a Mac; for Masque, an iOS user must install an enterprise provisioning profile,” said Joe Abbey, director of software engineering at Arxan.
“In both cases, the user may be incentivized to trust the malware,” he told TechNewsWorld. “Either they are offered free pirated software or otherwise misled to accept a certificate.”
The Masque of the BYOD Death
Masque is especially dangerous in enterprises that have BYOD policies; IT cannot distinguish fake apps from original ones because both use the same bundle identifier.
Further, attackers can use Masque Attacks to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities, FireEye warned.
“The most disconcerting part of this attack vector is the insider risk,” Arxan’s Abbey said, adding that insiders can install malicious apps unknown to the end user.
Owners of BYOD devices should “strongly consider the option of disabling provisioning profiles until Apple can address this risk,” he recommended.
A Brief History of the Masque Attack
The FIreEye researchers discovered the Masque Attack in July and notified Apple about the vulnerability July 26, they said.
Apple has yet to respond, they claimed.
WireLurker and the Masque Attack “are another example of the sophistication and automation of attacks that are growing inexorably into the future,” Steve Hultquist, chief evangelist at RedSeal, told TechNewsWorld. This highlights the need for automated proactive prevention.
To avoid malware such as WireLurker or the Masque Attack, users have to refrain from installing apps from sources other than the official App Store or their own organization’s app store. They should not install apps from third-party Web pages. Further, they should click on “Don’t Trust” and uninstall an app immediately if they see the iOS “Untrusted App Developer” alert.
Users can check the enterprise provisioning profiles on their iOS 7 devices to see whether apps have been installed through Masque Attacks. However, iOS 8 devices don’t show provisioning profiles of apps already installed, so users need to take extra precautions.