The U.S. Department of Homeland Security on Thursday issued an alert warning iOS users about the recent “Masque Attack” security flaw that can affect both non-jailbroken and jailbroken iPhone, iPad and iPod touch devices. The United States Computer Emergency Readiness Team outlines how the technique works and offers solutions on how iOS users can protect themselves.
Mobile security research team FireEye claimed last week that Masque Attacks allow for an attacker to replace a legitimate app with a malicious version under a limited set of circumstances. To fall victim to the attack, an iPhone, iPad or iPod touch user must be lured into installing an app outside of the App Store through enterprise provisioning systems or through a phishing link.
FireEye explained the technical intricacies of the security flaw in more detail last week:
“Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet,” claims FireEye. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
The government organization says that iOS users can protect themselves by avoiding installing apps that are outside of the App Store or organizations that you belong to, not tapping on “Install” from a third-party prompt when viewing a webpage, and tapping on “Don’t Trust” and uninstalling any apps that display an “Untrusted App Developer” alert when opened.
Masque Attacks can affect users running iOS 7.1.1 through iOS 8.1.1 beta.
FTC: We use income earning auto affiliate links. More.
ROTFL!!! How to avoid this attack? Just don’t be a stupid dipshit that clicks on every single freaking thing you get from every unsolicited message! Problem solved!
While Apple definitely needs to fix the flaw allowing this, NO ONE can fix the stupidity of the average Joe that actually enables this…
True. Just be considerate before you click something and it’s fine :)
Also iOS users can protect themselves by… Updating to iOS 8.2!
and in what world does that version even exist?
in this world, but not yet :) I meant 8.1 :)
I find it awful that The Verge hasn’t reported on this yet. They really can’t say too many bad thing’s about Apple. And 24 hours later, they move the nexus 6 review off the front page and off the video player. I used to love the verge. Now I despise them.