The majority of non-jailbroken iOS devices are vulnerable to an attack method that could replace genuine apps with malware through a bit of application-naming skullduggery. Dubbed a "Masque Attack" by the FireEye researchers who discovered this technique this summer, the attack was described publicly for the first time in a report today.
FireEye had previously held details about the attack methods close to the vest to give Apple time to handle a disclosure made to Cupertino at the end of July. But after examining the WireLurker malware that hit headlines last week, researchers with FireEye found it was using Masque methods and felt it necessary to shed light on a vulnerability that it says affects 95% of iOS devices.
"We consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors," they wrote in the report.
Masque works by convincing users to download an app with a tricky name and then using that install to replace a legitimate app with the same bundle identifier name. There are a number of attack implications from this method. First of all, attackers could mimic the original app's login interface to steal credentials and upload them remotely. Secondly, the data under the original app's directory remains in the malware's local directory after the switch, allowing for further data theft. Additionally, an attacker can use the Masque Attack to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.
According to FireEye, Masque is particularly dangerous for enterprises for a number of reasons. First of all, apps distributed using enterprise provisioning profiles aren't subject to Apple's review process.
"Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring and mimic iCloud's UI to steal the user's Apple ID and password," the researchers wrote.
Additionally, Masque is very difficult for enterprises to detect because MDM software can't distinguish malware from legit apps using the same bundle identifier.
"This means that attackers can use spear phishing via email or text message to conduct targeted attacks very effectively against enterprise users," Tao Wei, senior research scientist at FireEye, told Dark Reading. "Because MDM software cannot detect this attack, and until Apple releases a fix for this vulnerability, organizations must educate their employees on the threat spear phishing now poses to their non-jailbroken iOS devices."
Because an attacker can run arbitrary code on the iOS device, malware using the Masque Attack can serve as a stepping stone into the corporate network, Wei warns. "For example, the attacker can potentially harvest email and SMS, which may have two-step login tokens, to get further access to more privileged contents."
FireEye recommends that organizations warn users to protect themselves three ways. One, users shouldn't install apps from third-party sources other than Apple's official store or an enterprise app store. Two, users shouldn't click on install buttons on a pop-up from third-party web pages. Three, if iOS shows an alert with an "Untrusted App Developer" warning, users should click "Don't Trust" and uninstall the app immediately.