Last week, it was reported that Mac and iOS users in China were the target of new malware called WireLurker that resulted in Apple confirming the security issue and blocking the affected malware apps. Just days later, mobile security research firm FireEye reports it has uncovered a major iOS security flaw that it claims poses a much bigger threat to Apple users than WireLurker.
According to FireEye, the new so-called “Masque Attack” security flaw was uncovered in July and exists because iOS does not enforce matching certificates for apps with the same bundle identifier. As such, an attacker could lure an iPhone, iPad or iPod touch user to install an app with a deceiving name such as “New Flappy Bird” or “Angry Bird Update” that, unbeknownst to the user, is actually malicious. Only preinstalled apps like Mobile Safari are said to be unaffected.
“Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet,” claims FireEye. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
FireEye claims that it notified Apple about this vulnerability, which affects both non-jailbroken and jailbroken devices running iOS 7.1.1 through iOS 8.1.1 beta, on July 26th. The mobile security research firm claims that Masque Attack has severe security consequences, including the ability for attackers to “mimic the original app’s login interface to steal the victim’s login credentials” and “use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.”
Pangu is the Chinese team behind the iOS 8 untethered jailbreak for iPhone, iPad and iPod touch released last month.
FireEye provided an example of this security vulnerability based on the set of screenshots above, showing that a genuine copy of the Gmail app (Figure A and B) was able to be replaced with a malicious version (Figure D, E and F) by luring the user to install a “New Flappy Bird” update through enterprise/ad-hoc provisioning (Figure C). For demonstrative purposes, FireEye placed the words “yes, you are pwned” at the top of the malicious Gmail app (Figure F) and proved that they were able to upload all local cached emails to a remote server.
As a general rule of thumb, it is recommended that iOS users avoid installing apps outside of the App Store as a precautionary measure — especially from untrusted developers.
We have reached out to Apple for comment and will update this post if we hear back.
There's a reason Apple patched the Date & Time trick, to stop potential security threats like this from happening http://t.co/lqZecw4d33— Riles 🤷♂️ (@rileytestut) November 11, 2014