“Masque Attack” installs fake iPhone apps, steals user data, says FireEye
Yesterday cybersecurity firm, FireEye, published a blog post in which they detail their ‘Masque Attack’ exploit against iOS. The exploit dupes users into installing what appears to be a valid app update, but in fact replaces the original app and starts stealing user data immediately. FireEye says it first notified Apple Inc. about the threat back in July.
FireEye goes into some detail with an example showing an app update titled “New Flappy Bird”. The step-by-step example shows how the fake app actually replaces the Gmail app on the phone giving the attacker the ability to upload the user’s email to a remote server. The user interface is identical so an unsuspecting user will be none the wiser. (see full demo below)
How it works
According to the blog post, the exploit works on iOS7 and iOS8 devices and takes advantage of the fact that iOS does not enforce matching certificates for apps using the same bundle identifier. These are of course used to sign software updates and verify that they come from a valid source. An app’s bundle identifier is easy to find within the app itself and can be used for the fake app.
The exploit cannot replace native iOS apps like Safari and Mail, but apps installed via the App Store are open to attack. The blog post goes on to state that “Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with malware that has identical UI.”
Protect yourself
FireEye suggests that users follow these three steps to protect themselves from Masque Attacks:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately
This is the second attack on iOS users in as many weeks. Just last week Palo Alto Networks reported on WireLurker which attacks iOS devices via USB connection to a Mac.
photo credit: Kiwi-Lomo via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
