Apple i Phone iOS weakness allows hackers to replace iPhone apps

November 13th, 2014

A new iOS attack that works even on non-jailbroken iPhones allows hackers to replace apps with their own versionsMasque attacks can replace installed apps, letting hackers steal personal data. Photograph: Eduardo Barraza/Eduardo Barraza/Demotix/CorbisA weakness in newer versions of iOS lets hackers install apps on iPhones or iPads by sending users an email or text message.The attack can be used to steal personal information, eavesdrop on communications or potentially track the user’s physical location with the GPS chip in the Apple devices.Discovered by security researchers FireEye who named it “Masque”, the attack takes advantage of similar enterprise-focused tools to Wirelurker, a previous iOS bug that let an attacker use a compromised Mac to install software on an iPhone.

Before they can be infected, the user must be tricked into clicking a link in a text or email, and then accepting a prompt to install an app. Typically, an app installed this way requires a security certificate signed by Apple to work on iPhones that have not been modified to install unofficial apps, and so malware cannot get past the gate.However, Masque uses a vulnerability that lets an iOS app with the same file name replace a real one, regardless of developer. Users might think they are installing the new Flappy Bird, but in reality they are downloading an app that silently replaces their Gmail app with a fake one. Their iPhone does not prevent this happening because it does not realise the Gmail app has been replaced.FireEye says that Masque is an application of the same principle used in the WireLurker attack, but on a much grander scale. “After looking into WireLurker, we found that it started to utilise a limited form of Masque attacks to attack iOS devices through USB. Masque attacks can pose much bigger threats than WireLurker,” according to the company’s researchers Hui Xue, Tao Wei and Yulong Zhang.

“Masque attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the internet. That means the attacker can steal a user’s banking credentials by replacing an authentic banking app with an malware that has identical user interface.

“Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

Users can avoid infection if they do not install apps from third-party sources other than the official App Store or their own company. Yet the existence of the flaw still poses risks if users can be tricked into accepting the installation anyway.

FireEye notes that there aren several mitigating factors: “An attacker would have to obtain an enterprise provisioning profile or steal one, neither of which are trivial. There would also always be a warning to the user, which should look suspicious because it’s not something you would normally see in iOS. As long as you select ‘don’t install’, you will be protected from this vulnerability.”

In the long run, the vulnerability looks more likely to be employed as a “spear phishing” attack: highly focused attacks aimed at stealing the personal data of a specific target. Such attacks have been the basis of many wider hacking successes, such as those carried out by the Syrian Electronic Army

Entry Filed under: All

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed


November 2014
« Oct    

Most Recent Posts