A new malware vulnerability called as “Masque attack” is targeting iOS devices, as per a security firm FireEye. Masque Attack allows malicious parties to install duplicate versions of third-party apps on your iPhone or iPad, replacing your original app with theirs, which can access and monitor your data.
Masque Attack lures users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text “Hey, check this out, the New Flappy Bird.” But instead of a game, the malicious app installs itself over a currently installed app.
The National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams have warned that the phishing scam is worth worrying about, issuing this bulletin on the matter suggesting that an app may:
-Mimic the original app’s login interface to steal the victim’s login credentials.
-Access sensitive data from local data caches.
-Perform background monitoring of the user’s device.
-Gain root privileges to the iOS device.
-Be indistinguishable from a genuine app.
Obviously, this is not the kind of warning to be taken with a pinch of salt, and while Apple has long since prided itself on being a safe haven from dodgy activity, the modern mobile world is structured in such a way that nobody is safe. The Cupertino company used to make the claim that Macs were immune to PC viruses on its Web page, but with emphasis on the “used to”, this statement was abruptly removed after Flashback and subsequent non-niceties came to town.
FireEye has released some valuable information because they believe it’s “urgent to let the public know,” so mitigating measures can be taken to “help iOs users better protect themselves.”
iPhone users running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta are all vulnerable—as are both jailbroken and non-jailbroken devices. To avoid being affected, the security company recommends vulnerable users avoid installing any apps from third-party sources other than the official App Store, and not to trust apps with an “Untrusted App Developer label.”
iOS 7 users can check if they’re already affected—but worryingly, the functionality has been removed in iOS 8. Here are their instructions:
To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings > General > Profiles” for “PROVISIONING PROFILES.” iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running.
It’s alarming that Masque Attacks were apparently first flagged up with Apple in July and yet still remain an issue—but at least we’re now finding out how to mitigate the issue. In short: Stay vigilant, don’t install any third-party apps, and don’t play Flappy Bird. Ever.
