iOS Security Flaw Lets Attackers Replace Your Real Apps With Malware
Posted November 10, 2014 at 5:57pm by iClarified
FireEye mobile security researchers have discovered an iOS security flaw that lets attackers replace your real apps with malware.
The vulnerability was discovered in July 2014. FireEye found that when installing an app using enterprise/ad-hock provisioning, it could replace a genuine app if it had the same bundle identifier. The app could display any title it wanted during installation, ie. "New Flappy Bird", but once installed it can replace any app except Apple's default preinstalled ones. This means that it could replace your banking apps or your email app, stealing personal information.
FireEye says they verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The attack works through wireless networks and USB and has been named “Masque Attack."
The company says they notified Apple of the vulnerability on July 26th. Since then the WireLurker threat has utilized a limited form of Masque Attacks to attack iOS devices through USB.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
FireEye has come forward with details on the security flaw because "we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors."
Masque Attack has severe security consequences:
● Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
● We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
● The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
● As mentioned in our Virus Bulletin 2014 paper “Apple without a shell - iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
● The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.
Apple has yet to address the report, please follow iClarified on Twitter, Facebook, or RSS for updates. You can also take a look at a video demo below...
Read More
The vulnerability was discovered in July 2014. FireEye found that when installing an app using enterprise/ad-hock provisioning, it could replace a genuine app if it had the same bundle identifier. The app could display any title it wanted during installation, ie. "New Flappy Bird", but once installed it can replace any app except Apple's default preinstalled ones. This means that it could replace your banking apps or your email app, stealing personal information.
FireEye says they verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The attack works through wireless networks and USB and has been named “Masque Attack."
The company says they notified Apple of the vulnerability on July 26th. Since then the WireLurker threat has utilized a limited form of Masque Attacks to attack iOS devices through USB.
Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
FireEye has come forward with details on the security flaw because "we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors."
Masque Attack has severe security consequences:
● Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
● We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
● The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
● As mentioned in our Virus Bulletin 2014 paper “Apple without a shell - iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
● The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.
Apple has yet to address the report, please follow iClarified on Twitter, Facebook, or RSS for updates. You can also take a look at a video demo below...
Read More