An iOS security flaw can reportedly replace apps and open iPhones to data theft

Author

Roberto Baldwin

November 12, 2014

This article originally appeared on The Next Web

On the heels of the WireLurker malware, a new iOS vulnerability has potentially emerged and this one could share all your private information with hackers.

According to security research firm FireEye, a new flaw it calls Masque Attack installs malicious apps that replace official third-party apps on iOS devices and could be used to mine those devices for private information.

The attack could start with an innocent looking text message that lures users to install an app. In its demo of the attack, the phishing text message offers a new version of Flappy Bird. But instead of a game, the malicious app installs itself over a currently installed app. For example, it could replace the Google Mail app. When it does this, it retains and uploads the data inside the original app. By recreating the UI of the original app, the malicious app can continue to mine the iPhone for data without the users knowledge.

Here is a video demo of the Masque Attack in action:

iOS Masque Attack Demo (Video)

The attack utilizes iOS’s enterprise provision profiles. The profiles allow IT departments to develop and deploy apps without using Apple’s App Store. Developers also using the provision profiles to deploy betas of apps to users.

In additional to using the provisioning profiles to gain access to the device, the attack uses the same “bundle identifiers” to replace apps. The bundle identifier is the unique string that identifies an app to a device. By using the same string in a malicious app, the device is unable to tell that the original app has been replaced.

The attack is unable to replace and spoof default apps that ship with iOS like Safari, Mail and Stocks, so hackers will use it to target third-party apps.

According to FireEye, even after restart, the malicious app continues to operate.

FireEye has been able to reproduce the attack on iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta. The company says it informed Apple of the vulnerability in July.

FireEye has posted ways to protect yourself and your data from the attack:

Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization

Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker

When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately

We have reached out to Apple concerning Masque Attack and will update this article when it replies.

Developing

➤ Masque Attack: All Your iOS Apps Belong to Us [FireEye]

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter