The New iOS Security Hole Is Worth Your Attention, But Don't Panic

Researchers from the security firm FireEye recently uncovered a nasty little exploit in iOS they're calling a "Masque Attack". Once implemented an attacker can steal banking credentials, dig into email and more. But don't panic, because it's hard to actually pull off.

Essentially, a Masque Attack requires a dummy app to be downloaded and installed from a website. Inside that app is whatever malware the hacker wants to put in there, including keyloggers and whatever else. A Masque Attack can do all types of nasty things. Here's what FireEye has to say about it:

  1. Attackers could mimic the original app's login interface to steal the victim's login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
  2. We also found that data under the original app's directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
  3. The MDM interface couldn't distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
  4. As mentioned in our Virus Bulletin 2014 paper "Apple without a shell - iOS under targeted attack", apps distributed using enterprise provisioning profiles (which we call "EnPublic apps") aren't subjected to Apple's review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud's UI to steal the user's Apple ID and password.
  5. The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.

Sounds freaky, right? The good news is that it's incredibly easy to avoid it. iMore explains:

To avoid Masque and similar attacks, all that's required is to avoid downloading any apps from outside Apple's official App Store, and denying permission for any untrusted app to install.

That's it. Masque requires a whole lot of things to work properly. First off, to trick you into using it, a hacker needs to make an app that looks like a popular app you already have installed on your phone. Second, the hacker needs you to download the app to your phone from a site outside the App Store. Finally, you need to agree to download that app from an untrusted source. If all those conditions are met, they're in. But that's a pretty tall order for even the least tech-savvy amongst us.

While it's pretty tough to actually implement a Masque Attack it's good to know how it works so you don't accidentally fall victim to it. Don't download random apps from the internet, and make sure your friends and family don't either.

Masque Attack: All Your iOS Apps Belong to Us [FireEye]


Comments

    Installation of a non-trusted app will be as simple as displaying an ad with:

    "You have (1) New Facebook Message!!!"
    "There are (7) hot singles in [YOUR TOWN NAME]"
    "Click here to extend your battery life 200%"
    "She got a breast enlargement, what happens next will leave you salivating!"
    "Hey dude, click on this link LOL"

    Never assume that people are always wary of clicking strange links, especially if it contains the name of an existing app. Like the Flappy Bird mentioned in the video -- if you search for the name of an existing app and see some good reviews, you're more likely to trust the strange link you received as an ad or SMS

      Only if your phone is jailbroken. So for most users its not an issue. Hopefully those who jailbreak are a bit more sophisticated and won't click on these links.

        According to the source, this attack works even if your iPhone is not jailbroken, as it relies on Provisioning Profiles to allow the installation of apps outside App Store.

    Actually, it's not just jail-broken phones that are vulnerable. This is exploiting a "feature" for developers to distribute apps internally for testing before public release on the app store.

    Also, those who jail-break are not necessarily the "more-sophisticated" of the bunch. There are many who think they know a lot, but in the end just want "free apps". Jail-breaking is easy enough for a 5 year old to do - doesn't mean they understand the security implications.

    Jail-breaking is inherently dangerous as it modifies the security of the operating system and "most" (use this very loosely) jail-break users wouldn't understand the implications of that change. If you do, or if you take some precautions with what you install and where you get your sources from, then it's reasonably safe.

Join the discussion!

Trending Stories Right Now