Masque Attack (imasge 002)

Apple tonight broke its silence regarding Masque Attack, a recently discovered vulnerability in iOS. In a statement to iMore, the company says it encourages customers to only download apps from trusted sources and that it’s not currently aware of any users affected by the exploit.

Research security FireEye announced its discovery of Masque Attack on Monday. The malware installs itself through a phishing link disguised as a new app or game, and then masquerades as a legitimate app. Once installed, it can access login credentials, credit card info and more.

Here’s Apple’s full statement:

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

Apple’s comment comes just a few hours after United States government issued a warning to iOS users regarding Masque Attack. Earlier today, the National Cybersecurity and Communications Integration Center issued a bulletin describing the vulnerability and how it can be avoided.

Thanks to its oft-criticized “walled garden” approach to application installs, iOS has earned a reputation for being fairly secure. Masque Attack, however, takes advantage of a provisioning flaw in the operating system, which we are expecting to be patched in the upcoming iOS 8.1.1 release.

[iMore]

  • Jeep204

    Classic Apple. Just deny any exploits or faults in IOS

    • Keir Dicus

      Apple didn’t deny anything. They simply told users how to avoid the attacks.

      • Shane

        they just release a countable number as early as possible like “0” known infected (similar to 9 bended iphones) and without further statements, the number sticks to the story, people can only refer to that statement 😉

      • Pretty much, itcl’s the classic “sweep it under the rug” tactic…

    • Ian Leon

      The formula to obtain the actual number of affected users:
      (what Apple says +3000)*10^infinity

      • Tyler Smith

        First off… No..

      • Cody

        Yeah. Keep defending Apple.

      • Tyler Smith

        I will. Because I’m sorry this only affects people who think they know what they are doing but don’t. So it’s really probably like 10 people who are like you.

      • “Because I’m sorry this only affects people who think they know what they are doing but don’t”

        Hahaha, that pretty much sums up EVERY user who got their PC infected…you’re really underestimating there.

      • Tyler Smith

        I don’t know if you are agreeing or…

    • Jason Baroni

      Classic hater, always finding a way to blame Apple for something that really didn’t happen.

  • Guest

    Classic Apple. Just denying any faults or exploits in IOS

  • Bia

    There is clearly a prompt when you are installing an app that is not from the appstore. “Trust” or “Do not Trust”. You make the decision

    • Maxim∑

      same thing on Android, yet it doesn’t make the news.

      • Come on, don’t tell me you’ve already forgotten about this (http://bit ly/1pXXniF), this (http://bit ly/1sLOOlm), this (http://bit ly/1sLPuaw), and this (http://bit ly/1sLPeIJ), have you? iOS just took the spotlight this time…

      • FCBKris

        Look how ugly the user interface is. How can you defend something like that?!

      • Android can be what you want to make it like cydia can do for our iOS devices

      • Tyler Smith

        Right Cydia is just safer

      • Smh

        Why are you talking like iOS isn’t ugly as FK. Lol.

      • George

        You haven’t seen lollipop, oh and there are now multiple user accounts on android devices, makes the iPad look like an even bigger joke.

      • Tim

        Lollipop is neat and clean, ellegant too. But I don’t think multiple users on a personal fone is practical. iOS has password protected guided access for the few times someone wants to use my fone.

      • George

        On a phone no but on a tablet yes. It’s a shame that an iPad doesn’t offer this. Its just a blown up iPhone with nothing new.

      • jp2002

        With due respects to all, lollipop just shits circles everywhere. Circular animations is all that i see.

      • JasonL1C4

        Ugly you say? …
        I beg to differ

      • Maxim∑

        um thats cyanogenmod which you cant install on all phones

      • s0me

        Android has antivirus software with realtime protection like AVG, AVAST and BITDEFENDER.

      • Tyler Smith

        How is that an argument? lol you are saying “hey we know we have shit ton of malware but we can at least find it” which begs the question… Why do you need it at all..

      • s0me

        Android is a more popular platform than IOS. There are more android devices than ios because of the wide price range they have. As a software platform evolves and gets more popular, it becomes prone to maleware. Than the security companies come in with their antivirus software.

      • Tyler Smith

        While I agree with you as an OS becomes more popular it gets some sort of security breeches. iOS is the more popular. Especially in industry where it holds 65% of the phone market and 85% of the tablet market.

      • Cesar D

        Yes but i prefer quality over laggy shit. In other words I’d rather to pay 400 dollars for a quality tablet than pay 200 for a crap that wil make my life impossible. Is hard to live with lag and malwares.

      • s0me

        I can show you footage of my s4 that runs very smooth any without lag and random reboots compared to my ios 8 devices. Can’t lie, I know ppl with laggy S4s but they are mostly tech illiterates. They are the type of ppl that have lots of browser toolbars installed in windows.
        Most people dont want to pay a lot of money or simply dont care about a flagship phone like me and you.

    • Alexander Gennadievich

      True story

    • 3 or more prompts from Windows (web browser, Windows Defender, and User Account control) wasn’t enough to stop users from getting their PCs infected, I highly doubt 1 from iOS will work…

      • Chris

        Couldn’t agree more, users without knowledge of which buttons do what will always be at risk, it’s a sad reality we live in because of how involved technology is in our day-to-day lives.

      • True but you don’t have to put your password in with any of these prompts right? On iOS and OS X you always have to put your password in before installing anything. I’m not saying this in any way, shape or form that this improves security (it doesn’t it’s all about authentication – are you authorised to install the app?) but it could slow things down enough for the user to cancel out of whatever it is that they were doing but shouldn’t. Being realistic though as controlling as it is the AppStore basically prevents against the majority of malware and virus threats iOS receives. Assuming most users stick to this (and I’m pretty sure most do). However on the other hand since it’s difficult or impossible to install emulators and other apps that Apple doesn’t approve of this could likely help to increase malware and viruses. Apple isn’t doing anyone any favours in this regard.

      • You do have to put your password in for User Account Control (but you have the option to disable it if you don’t need such security), so, try a different excuse…

  • They aren’t aware of any affected users? How the f*ck do they know when a user’s device is infected? Or is the illiterate user, who refused to think b4 the click/tap, meant to magically see that some app has been infected?

    • I think this is exactly what they’re supposed to do…

      As I said earlier in another comment though I don’t think many people are affected by this and the fix should be really simple.

  • xSeriouSx

    Plot twist: Masque Attacks are the NSA making use of it’s iOS backdoors…

    • SoylentGreen

      Its requirements for backdoors have been consigned too the old jokes section, reason is that since ios8 law enforcement have 5 spots in apples own truststore aka ‘front door keys’
      Ps. Interestingly eneough though the authorities cannot subpeona a password, they can however force you to provide a fingerprint scan.

  • Guest

    Just a matter of time to find the enterprise account used by these attackers and disable their certificates. Apple needs to make enterprise program enrolment more stringent with a good number of checks to avoid this in the future.