November 11, 2014 by

iOS Masque Attack: A Worrisome Attack Targeting iOS 7+ Devices

Back in July 2014, FireEye’s mobile security researchers have discovered a new form of attack on Apple’s mobile devices running an iOS version 7.1.1 and higher (7.1.2, 8.0, 8.1, 8.1.1 beta, both jailbroken and non-jailbroken). The attack was nicknamed “Masque Attack” after it’s method of attack. Malicious “impostor” apps can be installed using the enterprise/ad-hoc provisioning, while replacing an app you trust.

This can be accomplished by using the same bundle identifier as the official app that it’s replacing. According to FireEye, the problem is with Apple not enforcing matching certificates for apps with the same bundle identifier. All applications can be replaced, excluding the iOS preinstalled apps such as Safari or Newsstand. The impostor app can look identical to the original app, it will even inherit all the user cache files. These might include cache of emails, credentials, and others.

FireEye warns that this attack can pose “much bigger threats than WireLurker.” Imagine, for example, that your banking app gets replaced by an app with an identical user interface. You would never know the difference and would willingly enter your banking credentials.

To see a live demonstration, watch the video below:

You can protect yourself by following these steps:

  • Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
  • Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
  • When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward

Google Research: Phishing Poses the Greatest Cybersecurity Threat

A new study by Google has revealed insights to better explain how emails and other accounts are...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward