It appears that iOS has become a favorite among hackers as yet another malware has been reported this week right after last week’s Wirelurker. Discovered and named Masque Attack by security research company FireEye, the new malware is said to be more potent that Wirelurker as the new malware can install and replace third-party apps in any iDevice.
Here’s how the Masque Attack malware works: an iOS user receives a text message or an email in the iDevice, with the message saying something like “check this out!” together with a phishing link which the receiver can click. If the user is not careful or accidentally clicks the link, it opens up a website and then prompts the user to install a supposed update to an existing app installed in the device or to a new app which the user can try out. The website should be noted redirects to an app outside the official iOS App Store and the said update or new app contains the malware hiding inside the fake app. Masque Attack malware does this by using iOS provision profiles which are employed when testing apps in beta or used by companies to deploy apps to their employees without accessing the official App Store.
The fake app is able to replace the legitimate app because it was programmed with the same bundle identifier (an exclusive identifying number) as the original, legitimate app. Once the fake app replaces the legitimate app, it can now do the worst damage as it has access to all functions the legitimate app has like sending SMS messages, uploading emails, access to contacts via call logs and more as Apple’s mobile operating system does not enforce certificate matching for apps with the same bundle identifier.
Though Masque Attack cannot supplant stock Apple apps like Mail and Safari, the malware can replace App Store installed third party apps thus posing a greater threat to unsuspecting users.
“Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with a malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
FireEye said that they have informed Apple about the malware which can affect users on iOS 7.1.1, iOS 7.1.2, iOS 8.0, iOS 8.1 and iOS 8.1.1 beta. Users were also advised not to install any third-party app aside those from the official App Store or click any links they receive from questionable SMS and email messages.