Apple iOS Malware: Why Masque Attack Is Even Worse Than WireLurker
Just when users thought it was safe to use their iPhones and iPads again, security researchers have exposed yet another malicious software program directed at Apple’s iOS. Earlier this month, researchers at Palo Alto Networks uncovered a malware program found in hundreds of apps from a Chinese app store aimed at Mac users. The researchers dubbed the malware “WireLurker” for its ability to infect iOS-based devices through a Mac’s OS X via a USB connection.
As noted by Palo Alto Networks, WireLurker was considered an especially dire threat due to its scale and its ability to infect non-jailbroken iOS devices. Since the iOS software on jailbroken Apple devices has been altered to allow unauthorized apps to be downloaded, those devices are typically more susceptible to malware. Soon after WireLurker was uncovered, Apple blocked the malicious apps, as reported by The Wall Street Journal.
Unfortunately, now an even greater threat known as “Masque Attack” has been revealed by researchers at cybersecurity firm FireEye. As noted by researchers Hui Xue, Tao Wei and Yulong Zhang on the FireEye blog, WireLurker was actually a “limited form of Masque Attacks to attack iOS devices through USB.”
While WireLurker could steal information from a mobile device it had infected, Masque Attack “can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet,” wrote FireEye researchers. On the bright side, although genuine App Store apps can be replaced via a Masque Attack, preinstalled iOS apps such as Mobile Safari, cannot be replaced. As explained by FireEye researchers, Masque Attack exploits a vulnerability in Apple’s iOS that allows a legitimate app to be replaced by a malicious app as long as it uses the same bundle identifier. Both non-jailbroken and jailbroken Apple devices are equally vulnerable to Masque Attacks.
In a video demo, the security researchers showed how a user could be tricked into downloading a malware program with a link sent through a text message. In their example, it was a program that replaced an authorized Gmail app on an iPhone with a malicious app that is virtually identical to the original app. By mimicking the legitimate app’s login interface, the attackers could easily steal a victim’s username and password. Besides being indistinguishable from an authorized app, a Masque Attack app can also access the original app’s local data, which can include everything from cached emails to login-tokens. This data could potentially allow an attacker to directly log in to a user’s account, noted FireEye researchers.
Although FireEye researchers didn’t publicly reveal Masque Attack until November 10, they have long been aware of the vulnerability and informed Apple about it on July 26, in the hopes that the iPhone maker would quickly issue a fix. However, following the emergence of WireLurker and after having seen evidence that these types of attacks are starting to circulate, FireEye decided to share this information with the public.
Fortunately, since the malware requires some action from the user in order to be installed on a device, there are some simple steps that users can take to protect themselves against Masque Attack, as explained by FireEye. First, avoid downloading apps that don’t originate from the official Apple App Store. Second, don’t click “Install” on any popup windows that show up on third-party websites. According to FireEye researchers, attackers will try to make these popups as appealing as possible in order to trick users to click on them. In their example, the researchers used a link titled “New Flappy Bird” after the popular mobile game that is no longer available.
Finally, if you ever see an “Untrusted App Developer” popup, make sure you click the “Don’t Trust” button and uninstall the app. If you are concerned that your device may have already been compromised, you can also check your device’s enterprise provisioning profiles found under “Settings” and remove any suspicious profiles.
Follow Nathanael on Twitter @ArnoldEtan_WSCS