Seriously? Another iOS vulnerability?



A security flaw in Apple’s mobile iOS operating system has made most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices.

MasqueAttack

The details about this new vulnerability was published by FireEye on its blog on Monday:

[…] an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices.

The flaw allows hackers to access devices by fooling users to download and install malicious iOS applications on their iPhone or iPad via text messages, emails and Web links.

The Masque Attack technique is the same used by “WireLurker”, but this malware is reportedly a “much bigger threat” than Wirelurker:

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI.

Here’s a short video demo:

How to protect yourself?

FireEye recommends:

  1. Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
  2. Don’t click “Install” on a pop-up from a third-party web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
  3. When opening an app, if iOS shows an alert with “Untrusted App Developer” click on “Don’t Trust” and uninstall the app immediately

Published: November 11 2014