How to protect yourself from ‘Masque Attacks’ that replace iOS apps with malware

BurnIconXFollowing the recent finding of the widespread WireLurker malware that allows an infected system to hijack iOS applications and replace contents to convert them into malicious programs, security researchers at FireEye have revealed this as part of a long-standing flaw in iOS that similarly allows apps to be replaced with malware programs.

This vulnerability uses the same enterprise provisioning routines that are used by WireLurker, but the approach that WireLurker uses is a limited form of a wider problem with iOS that allows an app to be replaced by another one using the same app bundle identifier.

What this means is that if you have an app installed through the App Store, then this routine can allow a malicious program disguising itself as the app to be swapped out, and then run without any warnings or errors in iOS. This has potential severe security impacts, such as mobile banking apps that could be replaced with ones that mimic a bank’s interface, only to have your credentials sent to a third party.

While the threat from WireLurker was limited to attaching your iOS device to an infected Mac via a USB cable, the Masque Attack can be used to install apps from a number of other locations, including Web pages and third-party app stores. In a demonstration of this problem, FireEye researchers were able to have a Web page install an app called “New Flappy Bird” that swaps out an original Gmail app on an iPhone.

How to protect yourself from masque attacks

While this problem has potential to be a widespread threat, if you use your iOS devices under standard conditions and with apps you only install from the App Store, then you are good to go. Staying safe from this and similar threats simply involve following these common guidelines:

  1. Do not jailbreak your device (or do so only if you know exactly what you are doing and understand the risks).
  2. Do not tap “install” on any alerts from Web pages that request you install anything on your iOS device.
  3. Avoid third-party App Stores, and only use Apple’s built-in App Store to install programs on your iOS device.
  4. Avoid opening any program that shows warnings such as “untrusted app developer,” even if the app looks legitimate.

If you run across any Web page or installed app that shows these behaviors, then close it down, do not install anything, and delete any suspected app from your iOS device. You can always re-download the app to your system from the App Store to get a legitimate version.

Another security measure that enterprise-managed iOS 7 devices can take is to check your device’s profiles for any provisioning profiles. To do this, go to Settings > General > Profiles and then check any listed provisioning profiles with your enterprise’s IT department to see whether or not they are authentic. However, this feature is not available in iOS 8, so be sure you are extra careful about what apps you install for devices running this version of iOS.

2 thoughts on “How to protect yourself from ‘Masque Attacks’ that replace iOS apps with malware

  1. B. Jefferson Le Blanc

    The second item in your list would seem to be the biggest threat to average users, who are unlikely to jail-break their iPhones or frequent non-Apple app stores. Just as they do on their computers, people may click “Install” without looking carefully at what they’re installing. It appears we now need a security app for iOS almost as much as we need one for the Mac. In some people’s books, there is not for either. But the Mac, and now iOS, are being targeted more frequently for malware these days. This is an ominous trend that sooner or later will rise to the level of a serious problem.

    That said, while FireEye has demonstrated a proof of concept, you didn’t mention any actual exploits in the wild, even though this vulnerability has apparently been around for some time. I guess the solution depends on whether a person prefers to wait for trouble or would rather prevent it ahead of time.

    It also raises the question of what Apple can do to block this vector. A patch to XProtect doesn’t seem to be the answer in this case.

  2. Lawrence

    if you use your iOS devices under standard conditions and with apps you only install from the App Store, then you are good to go.

    So the real security threat remains the same, the flaw that exists between the ears of the user. Human greed and the prospect of getting something for nothing has compromised many a user.

    When Apple Pay first came out there was a thread on Apple’s discussion forums where more than a few iOS users were complaining that they had to use TouchID to make purchases. It was too inconvenient, they said, and since they didn’t have a passcode or TouchID enabled to unlock their devices this made Apple Pay ‘useless’ to them. These users walk around with their iOS devices completely open with no protection whatsoever. Security is too inconvenient for them.

Comments are closed.