masque

The United States government issued a warning for iPhone and iPad users today regarding the recently-discovered ‘Masque Attack’ vulnerability, reports Reuters. The security flaw, which began circulating the web earlier this week, allows malicious third-party apps to be installed to a device using enterprise provision profiles.

Today’s bulletin was issued by the National Cybersecurity and Communications Integration Center, and it warns users of how Masque Attack can spread and what it’s capable of doing. The malware installs itself through a phishing link disguised as a new app or game, and then it can masquerade as a well-known app like Gmail.

Once installed, the app can mimic nearly any iOS app enough to steal login credentials and credit card information. It can also access private data via local data caches, perform background monitoring of the host device, and worst of all, it can gain root access privileges to its host device, meaning there’s very little it can’t do.

The NCCIC says users can protect themselves by avoiding apps outside of the App Store. They should pay particular care to not tap ‘Install’ in popup boxes on third-party websites, and to not open any links sent via iMessage from an unknown contact. Also, users should always select “Don’t Trust” when iOS displays the “Untrusted App Developer” alert.

The team that discovered Masque Attack, FireEye, says it has notified Apple about the vulnerability, but it has yet to hear back from them and the company hasn’t made a public statement regarding the issue. The exploit affects a wide range of devices, including iOS 7.1.1, 7.1.2, 8.0 and 8.1, and it has not been patched in the latest 8.1.1 beta.

[Reuters]

  • Shawn

    So business as usual?

    • Bugs Bunnay

      basically.

  • Fanboy 

    Where is Ryan Petrich with his usual ahead-of-the-curve patch on Cydia

    • We don’t need a patch. Don’t install unknown configuration profiles and say no to installing any apps from unknown developers and if you must install apps distributed by a third-party verify their legitimacy and complete the download via HTTPS if possible…

      • Sleetui

        I go on some sites on my iPhone (jailbroken) and sometimes a notification pops up saying that the installation of a certificate failed even though I never was notified of this. And I’m pretty sure you need your password to allow a certificate right?

      • Correct so these notifications / popups / messages are probably something else…

      • Sleetui

        I seriously wonder what it’s trying to install anyways.

      • TLDR: Think b4 you click/tap…that’s asking too much from humanity.

  • have_gun_will_travel

    What am I missing here???

    They say you can avoid this problem by “avoiding apps outside of the App Store.” So, what you’re saying is this only affects JAILBROKEN iPhones.

    They also state,”The team that discovered Masque Attack, FireEye, says it has notified Apple about the vulnerability, but it has yet to hear back from them and the company hasn’t made a public statement regarding the issue.”

    Why do they think Apple is going to respond to a problem that only occurs on a jailbroken device??

    Please, tell me what I’m missing here.

    • motti

      It’s for all devices even non jailbroken. It gets root access using the known Pangu jailbreak exploit.

    • Kieran.Lillis

      You can still download apps outside the App Store without a jailbreak.

      • have_gun_will_travel

        Please explain… other than enterprise sources.
        Thanks.

      • Chris

        Root CA certificates allow developers to sign and distribute apps via TestFlight, I’m not sure if you can manually pass through IPA files anymore but in the past you simply just needed a valid developer account and you could send a link around to install an app.

      • have_gun_will_travel

        That I knew, and that I understand. My point is that you would KNOW where what you were installing came from. If you don’t know where it came from, just don’t install it.

      • Chris

        You surely would know where the app came from using TestFlight as there’s a lot of information describing the app which you can cross reference with the app store but you can’t see the bundle identifier so there’s still a chance a rouge app can slip through the cracks.

        At the end of the day common sense should prevail in these situations, sadly it doesn’t because there is not tips explaining why you should only download from the app store.

    • It can affect non jailbroken devices too. App Store is not the only official way of installing apps, Apple has a Enterprise App Distribution thingy. This way A Enterprise/Company gets certificate from apple, then sign and distribute their apps without app store. You tap a link in a website, iOS asks Install “Bla Bla” App? you tap install and its installed.

    • Andrew

      It is quite possible to install apps from outside the App Store on non-jailbroken devices. A few examples are Movie Box, FeaturePoints, GBA4iOS, FreeAppLife, and loads more. Basically, if you are going to download externally-downloadable apps, just know that the website/service is trustworthy, and you’ll be fine.

  • Guest

    But you need to install the provisioning profile of someone you do not know or trust on your iPhone. And you’re not stupid enough to do that. Or is it?

    • Sadly, that’s how people have been since computers were made. They refuse to think b4 they click, they ignore the warnings from their web browser, they ignore the warnings from built-in system security, then they wonder how they got infected…the threat is now making it’s way to iOS as it has gained attractive market share.

  • Antonio Fonseca

    Don’t download or trust provisioning profiles issued by third parties. To the “mask attack” be successfully you first need to install a provisioning profile from the bad guys. And, if you did it my friend, a fake app is your minor problem. Because, you’ve already conceded admin rights to your iPhone to someone you don’t know.

    Do not believe everything you read on the Internet. Yes, there seems to be a bug that allows you to install apps faking the bundle name.

    But you need to install the provisioning profile of someone you do not know or trust on your iPhone. And you’re not stupid enough to do that. Or is it?

  • Jonathan

    “gain root access privileges to its host device”

    Sounds just like jailbreaking.
    Exploit, anyone?

    • I don’t think that’s right. Why would we need Pangu on Windows / OS X if it were possible to jailbreak on the device itself…

      • Andrew

        I’m like 95% sure it’s been done before. It just hasn’t been possible in recent years. I believe there was one for iOS 4 (or thereabouts) that just used iOS’s Safari, but I could be wrong.

      • Jonathan

        Sounds like an undiscovered exploit, maybe?

  • Eli Montoya

    I don’t see how this is such a big issue when androids have had this problem for years. Just stay away from apps coming from sketchy sites.

    • Andrew

      It’s such a big problem because most iPhone users have the belief (and quite justifiably until recently) that their phone couldn’t even get viruses. Plus, iOS is known for being pretty secure, especially when compared to Android.

  • n0ahcruz3

    This is absurd! Another scamsung propaganda! iOS is the most advance and most secure OS in the world! Its magical and revolutionary. Lies i tell u lies! 😉

  • Rowan09

    The government really?

  • Now why would the government care in the first place? There’s definitely something precious in iDevices for them…wonder if it’s a backdoor.

  • Ghost

    I think this is Apple’s attempt to stop us from using the jailbreak to install apps that the AppStore won’t approve. They know there are some good apps out there but just because they don’t meet there requirements people jailbreak their phone or iPad to use them.

    That is my opinion whether you agree or not I’m sticking by it lol!!!!