iOS 8 logo (mockup 001)

A new security exploit discovered in Apple’s mobile operating system allows attackers to fool unsuspecting users into installing malicious iPhone and iPad apps disguised as new versions of popular apps and games such as Gmail, Angry Birds and more.

Instances of malicious apps with such deceiving names as “New Angry Bird”, “New Flappy Bird” and others were mentioned Monday in a report by mobile security research firm FireEye.

The attack begins with a phishing message in an SMS message that entices a victim to install an attractively titled app or game. The malicious app can then send SMS messages, place phone calls, email your contacts and more because “iOS doesn’t enforce matching certificates for apps with the same bundle identifier.”

The issue stems from an oversight in the design of iOS that allows an iPhone or iPad application installed using enterprise/ad-hoc provisioning to replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.

Fortunately, the flaw does not allow attackers to replace Apple’s stock apps like Mail or Safari. That’s of little consolation because any app on a user’s device installed from the App Store could be used to prompt tech illiterate users into installing malicious software.

The exploit could have dire consequences.

For example, Masque Attacks could replace your banking and email apps, using attacker’s malware through the Internet. In turn, the attacker could easily “steal your banking credentials by replacing an authentic banking app with an malware that has identical UI,” claims FireEye.

Worse, the malware seems capable of access the original app’s local data, which may contain anything from cached emails to login tokens that the malicious app could use to log into your online account directly.

Seen below: a FireEye-provided example of a genuine Gmail app (Figure A and B) being replaced with a malicious version (Figure D, E and F) because the user chose to install a “New Flappy Bird” update through ad-hoc provisioning (Figure C).

Upon installing the rogue app, FireEye researchers were able to suck all locally cached emails (stored as clear-text in a SQLite3 database) to a remote server into the cloud.

Masque Attack (imasge 001)

Surprisingly, the malware can even access the original app’s local data that may remain in the device after the original app was replaced. This may include cached emails and even login-tokens which the malware can use to “log into the user’s account directly.”

Here are the five security implications FireEye singled out:

  1. Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
  2. We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
  3. The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
  4. As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
  5. The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.

To protect yourself from Masque Attacks, never install or side-load apps from third-party sources other than the App Store and make sure to avoid tapping the “Install” option a malicious webpage may put up, no matter how attractive app titles might be.

And crucially, if you see an alert warning you of “Untrusted App Developer” when opening an iPhone or iPad app, as shown below, tap on “Don’t Trust” and uninstall the app immediately.

Masque Attack (imasge 002)

FireEye informed Apple of the vulnerability back in July 2014.

To check if there are apps on your device already installed through Masque Attacks, check the signing identities of the enterprise provisioning profiles installed on your iOS 7 devices (Settings > General > Profiles) for any signs of foul play.

Here’s Masqua Attack in action.

Because iOS 8 devices don’t show provisioning profiles already installed on the devices, the FireEye team suggests “taking extra caution when installing apps.”

Earlier this month, security researchers at Palo Alto Networks discovered a new malware dubbed WireLurker which has managed to infect more than 400 apps in the Maiyadi App Store, a third-party Mac app store in China, before Apple blocked the identified apps to prevent them from launching.

Apple generally does not disclose, discuss or confirm security issues until a full investigation is complete, and any necessary patches or releases are available, for the sake of “protection of our customers,” according the Apple Product Security webpage.

[FireEye]

  • Niko

    It’s a scary world out there.

    • Manjot Singh

      it is

    • David Gitman

      Tell me about it /:

  • ‘Ariff

    “And crucially, if you see an alert warning you of “Untrusted App Developer” when opening an iPhone or iPad app, as shown below, never tap on “Don’t Trust” and uninstall the app immediately.”

    So.. we should tap on “Trust” instead?

    • Marvin

      yes its save … haha

    • No, it’s an error, you should tap on Don’t Trust. Thanks for the heads-up, already fixed.

      • Jeffrey

        Hey Christian, I recently installed a WhatsApp beta and MovieBox on my iPhone 6 via pgyer (dot) com. You wouldn’t know if that site is trustworthy would you?

      • Anmol Malhotra

        First of all tell me whats new in Whatsapp 2.11.13? 😀
        Something other than iPhone 6 support?

      • Jeffrey

        I have no idea what version I’m using but another ew feature besides iPhone 6/6 Plus support is WiFi calling via WhatsApp itself.

      • Anmol Malhotra

        What? :O VOIP in whatsapp beta? You got to be kidding me.. Whatsapp said it will come in 1st quarter 2015.. So indirectly you are telling iPhone 6 Support will come next year? :O -.- Damn you whatsapp!

      • Jeffrey

        Hahah no probably not but yeah, it’s in there but it doesn’t work yet.

      • Tim

        I have the beta too, version 2.11.14.224 (build 11). I like the wifi calling, new animations, debug menu, file browser and the fact that when you are using upscale tweak the UI actually scales up. Looks very nice

      • Jeffrey

        Yeah. Where did you download it? Online from a Chinese site too or from the official WhatsApp site?

      • Tim

        from that pyger Chinese site, has me a bit worried about this new security flaw. Let me check if I can get an official beta

    • spacewalk1

      I will never tap on Don’t Trust! I guess I will have to tap Trust by force lol

  • Martin

    “And crucially, if you see an alert warning you of “Untrusted App Developer” when opening an iPhone or iPad app, as shown below, never tap on “Don’t Trust” and uninstall the app immediately.”
    Trust or Don’t Trust? I think never click on Trust

  • Warmachine69

    I saw a free version of ios 1password on the internet I wonder what that’s all aboot lol

    • Jailbrkr21

      1password is now free on the app store, to get full features requires an inapt purchase

      • Warmachine69

        This was back when it was like 20$
        It was a free one from this random site. I wonder they would do with all my passwords lol

      • Jailbrkr21

        you sound like you wouldn’t trust it.

      • Warmachine69

        I trust the legit one but not some random one of a fake site!

      • Jailbrkr21

        you need to be more trustworthy and try it out, I promise to not use your passwords to steal from you.

  • Lagax

    In Other words: dumb users could be fooled into installing malware if they’re dumb enough not to realize that they shouldn’t install anything from the web. I think the users being so dumb, that they would do this, are to scared of braking their system to do this. This shouldn’t harm anyone seriously…

  • rockdude094

    Soooo iOS isnt safe ? I’m just gonna use my Nokia 3310 from now.

    • Anmol Malhotra

      Good for you!
      And btw you should atleast read the whole article before writing dumb comments.

      • rockdude094

        Relax dude chill. If you don’t like it don’t read it. Don’t be a such a stuck up lol

  • iPodDroid

    And People claim “iOS is Perfect”… Hahahaha.. LIES

    • iBanks

      In comparing to others…. Well, it is Perfect.

      • iPodDroid

        If you compare it to other OS’s it’s still not perfect… I would suggest taking off those fancy Fanboy glasses sir. Nothing in this world is perfect especially a Mobile Operating System.

      • Guest

        Jennifer Lopez booty = Perfect,

      • iBanks

        Jennifer Lopez Booty = Perfect
        Halle Berry’s face = Perfect
        Kim Kardashians sex tape = Far from perfect
        iOS = Perfect
        Some things are actually perfect in this world.

      • iPodDroid

        iBanks= Perfect Fanboy

        My bad! Your right some things in this world are “perfect”. SMFH

    • Kyle McNulty – Mclovin341

      Far superior to any OS out their to date.

    • isitjustme

      Still perfect when download from Apple’s Appstore.

      Can’t say the same for google play.

  • DJMannyD

    Hopefully a developer will make a tweak that patches this for us that are jailbroken and can not update to 8.1.1. Thanks for the heads up iDB.

  • singhay559

    Funny how ios 7 came with the ” trust / dont trust ” features and coincidence that Apple is finding more malwares. More ways for apple to gain users trust and pocket more $. Recomending to only use appstore.

  • The Secret

    And of course the biggest weakness of this method is the ease by which Apple can rescind the Enterprise Provisioning Cert…. So really this is a stupid user problem

  • Jailbrkr21

    This has been known for months, thats how we got moviebox (and other stuff) on devices such as iPhone 6 before the jailbreak was available. Why is it a story now?

  • Keith S.

    I think it’s worth adding to the recommendations that jailbreak users should be especially wary of installing apps from untrusted repositories. This is one of those exploits that can hit jailbreakers even worse, and I don’t get the impression you could apply a patch via a Cydia app, either.

    I’m surprised the authors of the original article (which I read on their blog) didn’t mention another telltale sign, which is evident from their screenshots: the maliciously replaced app still shows the blue “recently updated” dot.

    So, if you think you are installing an app like “New Flappy Bird”, and you do NOT see an icon for it, but DO see a blue dot next to A DIFFERENT app that you did not recently update, then that’s probably what got replaced. You should delete that app immediately (without opening it) and re-download from your cloud. Some damage may have already been done, but you can at least limit it from that point onward.

    • Shane

      what if it actually replaces the app it claims to be aka “Flappy Bird” 😉

      • Keith S.

        Then it serves you right for using your bank passwords in Flappy Bird. 🙂

        Obviously, this is not a tip to prevent all occurrences. Just ones where you think you are replacing a benign app with one that carries far greater risk, like your Bank of America app or something like that. Which I *seriously* hope nobody is going to download from some unknown source, but you never know.

      • Shane

        you realize angry/flappy birds was just used as an example :), besides who said the app had only access to it’s own content.
        also, what if your eg “flappy birds” was installed/replaced and so was your “boa” app (replaced), two what you call “blue dots”, but you don’t notice it then.
        it’s easy to trick people when they are not expecting it 🙂

      • Keith S.

        Yes, I realize that. I was using the same example. Was that not clear?

        Apps are always sandboxed; by definition, they do not have access to other applications’ data. That’s the point of this vulnerability – you masquerade as one app (by title, like Flappy Bird) but use another app’s UID to install over that app (like Gmail). The vulnerability does not allow an app to install as something like Flappy Bird but still access another application’s data.

        I strongly recommend reading the original vulnerability report.

        And yes, it’s quite possible that many apps will have been updated recently. Users that set their apps to automatically update in the background won’t be able to use this tip, unless they have another reason to be suspicious, in which case they can look in App Store to see what has been updated recently. If it’s not listed, the blue dot is bogus. I was giving ONE EXAMPLE of how users may be able to detect a malicious attack. I never said it would always work. If such a detection existed, the vulnerability wouldn’t be as big a deal.

  • Keith S.

    On the bright side, maybe Apple will delay iOS 8.1.1 to include a fix for this, and give would-be jailbreakers a little extra time to get their device. Damn you, AT&T, what’s taking you so long?! 🙂

    • Shane

      or facilitate it to get the fix out. hopefully not…

  • Bugs Bunnay

    time for apple to fix another security hole.

  • Here we go, the iOS platform is becoming more and more attractive to malware authors…who would have guessed that gaining a significant market share would attract the attention of the bad guys…

  • Lourie

    My movie box doesnt work but i didn’t even update my ipad mini in ios 8.1.1 can someone help me?