Is Apple Doing Enough to Counter the Masque Attack Threat?
Is Apple downplaying a major threat to its users? Earlier this month, researchers at cyber-security firm FireEye alerted Apple users about a new threat called “Masque Attack.” According to the researchers, Masque Attack exploits a vulnerability in iOS 8 that allows any apps except for preinstalled apps to be surreptitiously replaced with a malicious app. Masque Attack “can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet,” wrote FireEye researchers.
While FireEye researchers characterized Masque Attack as an urgent security flaw that “can pose much bigger threats than WireLurker,” Apple took a different perspective. “We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” said Apple in a statement given to iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
Apple appeared to be highlighting the fact that a Masque Attack does require some action from the user. As explained by FireEye researchers, an attacker must first trick a user into installing what they think is a well-known game or other popular app on their iPhone or iPad. In their demonstration, the FireEye researchers sent a hypothetical victim an app titled “New Flappy Bird.”
The malware then infects the iOS-based device with an app that uses the same bundle identifier that a genuine app uses, such as Google’s Gmail app. Besides allowing attackers to insert an app that is indistinguishable from the original real app, Masque Attack also has the capability to access the original app’s local data, which can include everything from cached emails to login tokens. Per FireEye researchers, this data could potentially let the attacker gain access to a user’s account.
Although FireEye alerted Apple about Masque Attack in July, the cybersecurity firm decided to go public with its concerns after WireLurker and similar threats began to circulate earlier this month. According to FireEye researchers, Masque Attack is a greater threat than WireLurker because WireLurker was just “a limited form of Masque Attacks to attack iOS devices through USB.”
Soon after WireLurker was discovered, Apple told The Wall Street Journal that it had “blocked the identified apps to prevent them from launching.” According to iOS forensic expert Jonathan Zdziarski, Apple appears to have blocked the apps by revoking the enterprise provisioning profile that allowed WireLurker apps to be downloaded. However, he warned that this was not a long-term solution, since “additional certificates could be substituted and new copies of the software inserted.”
WireLurker appeared to have originated from the Maiyadi App Store, a third-party Mac application store in China, said researchers at Palo Alto Networks. In other words, people who had their iOS devices infected with WireLurker were most likely downloading pirated software that had been trojanized. Unfortunately, that association with piracy might make it less likely that someone who encounters WireLurker or Masque Attack would report it to Apple, which might explain why the company doesn’t know about customers who may have been affected by Masque Attack.
On the other hand, Apple doesn’t exactly have the best track record when it comes to disclosing the extent of problems with its products. When reports that the new iPhone 6 Plus was susceptible to being easily bent emerged earlier this year, Apple told The Wall Street Journal that only nine customers had contacted the company over the “bendgate” issue. Some iPhone 6 Plus owners apparently had an issue with Apple’s numbers and launched a site called “One of the Nine” last month. So far, the site has documented 448 bent iPhones.
While it remains to be seen if a similar grassroots movement will erupt over Masque Attack, it should be noted that the researchers at FireEye believe that the current security measures used in iOS 8 could stand to be improved. “This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier,” wrote the researchers. “Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”
Follow Nathanael on Twitter @ArnoldEtan_WSCS