Following the recent finding of the widespread WireLurker malware that allows an infected system to hijack iOS applications and replace contents to convert them into malicious programs, security researchers at FireEye have revealed this as part of a long-standing flaw in iOS that similarly allows apps to be replaced with malware programs.
This vulnerability uses the same enterprise provisioning routines that are used by WireLurker, but the approach that WireLurker uses is a limited form of a wider problem with iOS that allows an app to be replaced by another one using the same app bundle identifier.
What this means is that if you have an app installed through the App Store, then this routine can allow a malicious program disguising itself as the app to be swapped out, and then run without any warnings or errors in iOS. This has potential severe security impacts, such as mobile banking apps that could be replaced with ones that mimic a bank’s interface, only to have your credentials sent to a third party.
How to protect yourself from masque attacks
While this problem has potential to be a widespread threat, if you use your iOS devices under standard conditions and with apps you only install from the App Store, then you are good to go. Staying safe from this and similar threats simply involve following these common guidelines:
- Do not jailbreak your device (or do so only if you know exactly what you are doing and understand the risks).
- Do not tap “install” on any alerts from Web pages that request you install anything on your iOS device.
- Avoid third-party App Stores, and only use Apple’s built-in App Store to install programs on your iOS device.
- Avoid opening any program that shows warnings such as “untrusted app developer,” even if the app looks legitimate.
If you run across any Web page or installed app that shows these behaviors, then close it down, do not install anything, and delete any suspected app from your iOS device. You can always re-download the app to your system from the App Store to get a legitimate version.
Another security measure that enterprise-managed iOS 7 devices can take is to check your device’s profiles for any provisioning profiles. To do this, go to Settings > General > Profiles and then check any listed provisioning profiles with your enterprise’s IT department to see whether or not they are authentic. However, this feature is not available in iOS 8, so be sure you are extra careful about what apps you install for devices running this version of iOS.