Researchers from the security firm FireEye recently uncovered a nasty little exploit in iOS they're calling a "Masque Attack". Once implemented an attacker can steal banking credentials, dig into email and more. But don't panic, because it's hard to actually pull off.
Essentially, a Masque Attack requires a dummy app to be downloaded and installed from a website. Inside that app is whatever malware the hacker wants to put in there, including keyloggers and whatever else. A Masque Attack can do all types of nasty things. Here's what FireEye has to say about it:
- Attackers could mimic the original app's login interface to steal the victim's login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
- We also found that data under the original app's directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
- The MDM interface couldn't distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
- As mentioned in our Virus Bulletin 2014 paper "Apple without a shell - iOS under targeted attack", apps distributed using enterprise provisioning profiles (which we call "EnPublic apps") aren't subjected to Apple's review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud's UI to steal the user's Apple ID and password.
- The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.
Sounds freaky, right? The good news is that it's incredibly easy to avoid it. iMore explains:
To avoid Masque and similar attacks, all that's required is to avoid downloading any apps from outside Apple's official App Store, and denying permission for any untrusted app to install.
That's it. Masque requires a whole lot of things to work properly. First off, to trick you into using it, a hacker needs to make an app that looks like a popular app you already have installed on your phone. Second, the hacker needs you to download the app to your phone from a site outside the App Store. Finally, you need to agree to download that app from an untrusted source. If all those conditions are met, they're in. But that's a pretty tall order for even the least tech-savvy amongst us.
While it's pretty tough to actually implement a Masque Attack it's good to know how it works so you don't accidentally fall victim to it. Don't download random apps from the internet, and make sure your friends and family don't either.