iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

Posted by · 16666 views · Translate

FireEye mobile security researchers have discovered an iOS security flaw that lets attackers replace your real apps with malware.

The vulnerability was discovered in July 2014. FireEye found that when installing an app using enterprise/ad-hock provisioning, it could replace a genuine app if it had the same bundle identifier. The app could display any title it wanted during installation, ie. "New Flappy Bird", but once installed it can replace any app except Apple's default preinstalled ones. This means that it could replace your banking apps or your email app, stealing personal information.

FireEye says they verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The attack works through wireless networks and USB and has been named “Masque Attack."

iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

The company says they notified Apple of the vulnerability on July 26th. Since then the WireLurker threat has utilized a limited form of Masque Attacks to attack iOS devices through USB.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has come forward with details on the security flaw because "we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors."

Masque Attack has severe security consequences:
● Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
● We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
● The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
● As mentioned in our Virus Bulletin 2014 paper “Apple without a shell - iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
● The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.

Apple has yet to address the report, please follow iClarified on Twitter, Facebook, Google+, or RSS for updates. You can also take a look at a video demo below...

Read More

Blorf - February 19, 2015 at 1:02am
mr.humann - November 11, 2014 at 6:33pm
omg! iOS has virus! huge security hole! it's the same as windows! oh, wait, you have to install your apps from "some website" instead of the App Store. I wonder who would do that besides Android users who're used to installing stuff from sites ending in .ru.
SimonSays - November 11, 2014 at 3:25am
WoppeeDoo - November 11, 2014 at 1:59am
This old news, they been doing this since the first Android was release. Why the sudden interest in IOS?
iProService - November 11, 2014 at 8:02am
Because iOS users typically have more money to steal than android users. Thieves go where the money is. Same reason they target pc's because banks and corporations use them over macs. They go where the money is.
18 More Comments