iOS Security Alert: "Masque Attack"

Overview

A new report by security firm FireEye details an particularly powerful and sneaky attack that affects iOS devices (iPhone's and iPad's) running  iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta.  Jailbroken and non-Jailbroken devices are vulnerable due to the method that Apple uses to verify (or not verify) certificates for app publishers.

Although several steps need to be taken on the target device by the victim before this attack can be successful, it is important to be aware of the behavior so you know what to be aware of in the event you are targeted.

This attack can occur from a SMS text message on your device with an attractive call-to-action.  In the following video demonstration this call-to-action takes the form of a fake notification for the new Flappy Bird game (which doesn't exist) which takes the victim to a website that prompts for an installation.  

 Click here to see the FireEye Masque Attack demonstration video (YouTube, 3:05).

When the victim allows the installation to continue the app that is installed isn't Flappy Bird, but rather a fake Gmail app that masquerades as the legitimate app and copies all data to the attackers server.  Using the Gmail app is purely a proof-of-concept example, but any app (including banking or other financial apps) is vulnerable at this point in time.  What's worse is this fake app can even use data of the real app, completely hiding the fact that it has been compromised.

What To Do About It?

Although this attack is quite severe and has huge implications, it isn't terribly easy to accomplish.  An attacker would need to craft a series of pages and convince a victim to install a certificate.  Once that certificate is installed an attacker would need to craft a message specific to that device and convince the victim to agree to more prompts, including proceeding past an "Untrusted App Developer" warning.

FireEye has a series of general security guidelines for iOS devices:

  1. Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
  2. Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
  3. When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown below , click on “Don’t Trust” and uninstall the app immediately

For further information we encourage you to read the FireEye "Masque Attack" advisory.

 

Have more questions? Submit a request

Comments

Please sign in to leave a comment.