December 22, 2024
iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

Posted November 10, 2014 at 5:57pm by iClarified
FireEye mobile security researchers have discovered an iOS security flaw that lets attackers replace your real apps with malware.

The vulnerability was discovered in July 2014. FireEye found that when installing an app using enterprise/ad-hock provisioning, it could replace a genuine app if it had the same bundle identifier. The app could display any title it wanted during installation, ie. "New Flappy Bird", but once installed it can replace any app except Apple's default preinstalled ones. This means that it could replace your banking apps or your email app, stealing personal information.

FireEye says they verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The attack works through wireless networks and USB and has been named “Masque Attack."


iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware

The company says they notified Apple of the vulnerability on July 26th. Since then the WireLurker threat has utilized a limited form of Masque Attacks to attack iOS devices through USB.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has come forward with details on the security flaw because "we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors."


Masque Attack has severe security consequences:
● Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
● We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
● The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
● As mentioned in our Virus Bulletin 2014 paper “Apple without a shell - iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
● The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.

Apple has yet to address the report, please follow iClarified on Twitter, Facebook, or RSS for updates. You can also take a look at a video demo below...

Read More


Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (16)
You must login or register to add a comment...
SimonSays
SimonSays - November 11, 2014 at 3:25am
Poop!!!!!!!
tng
tng - November 11, 2014 at 1:59am
This old news, they been doing this since the first Android was release. Why the sudden interest in IOS?
iProService
iProService - November 11, 2014 at 8:02am
Because iOS users typically have more money to steal than android users. Thieves go where the money is. Same reason they target pc's because banks and corporations use them over macs. They go where the money is.
gamerscul9870
gamerscul9870 - November 10, 2014 at 11:43pm
No os is secure due to jailbreaking it which can be done anytime. Thanks Sherlock!
hamood_d10
hamood_d10 - November 10, 2014 at 10:02pm
been using apple products since iphone 3gs to iphone 6, i guess apple days is numbered if they didnt really update
gamerscul9870
gamerscul9870 - November 10, 2014 at 11:42pm
Your memory life span is limited. Must be neglected to forget to update.
iBent
iBent - November 10, 2014 at 9:29pm
Now this is worlds most secured OS which nobody can hack, that's what they say
gamerscul9870
gamerscul9870 - November 10, 2014 at 11:40pm
You don't have one nearly as secured as ios even if ios is 99% now. What's your excuse?
pubsacer
pubsacer - November 10, 2014 at 9:03pm
I agree they are being proactive and giving something iOS doesn't have: BUGS
lepaka
lepaka - November 10, 2014 at 7:14pm
do it as i do, reject companies phones, no way. the company can give me their SIM card, but will never control me. and it is working perfectly since 15 years, SIM card from company, phone is my choice and no company apps at all :)
Headbanger
Headbanger - November 10, 2014 at 6:59pm
So Tim Cook announces he's gay and this is what happens next.
Ynona
Ynona - November 10, 2014 at 6:42pm
Solution: Use your work phone for work and your personal phone for your personal stuff. Install apps only on your Non-ad hoc networks. Google 'Ad Hoc Network'- Remember that nothing is totally secure regardless of the security implemented just do your best.
nameila
nameila - November 10, 2014 at 6:37pm
These would be more scary if a user didn't have to keep clicking: 'Yes I trust this computer' 'Yes I will type my pin in' 'Yes, please install this random flappy bird app that I didn't click on' versus built in vulnerabilities taken advantage of behind the scenes (i.e. android/windows/etc.)
Kornmehl
Kornmehl - November 10, 2014 at 6:26pm
OMG. They can turn an iPhone into an Android phone.
Bill
Bill - November 10, 2014 at 6:05pm
This is huge why no comments yet?
Henry1
Henry1 - November 10, 2014 at 6:09pm
Most people probably don't understand this.
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS