November 11, 2014 by

iOS Masque Attack: A Worrisome Attack Targeting iOS 7+ Devices

Back in July 2014, FireEye’s mobile security researchers have discovered a new form of attack on Apple’s mobile devices running an iOS version 7.1.1 and higher (7.1.2, 8.0, 8.1, 8.1.1 beta, both jailbroken and non-jailbroken). The attack was nicknamed “Masque Attack” after it’s method of attack. Malicious “impostor” apps can be installed using the enterprise/ad-hoc provisioning, while replacing an app you trust.

This can be accomplished by using the same bundle identifier as the official app that it’s replacing. According to FireEye, the problem is with Apple not enforcing matching certificates for apps with the same bundle identifier. All applications can be replaced, excluding the iOS preinstalled apps such as Safari or Newsstand. The impostor app can look identical to the original app, it will even inherit all the user cache files. These might include cache of emails, credentials, and others.

FireEye warns that this attack can pose “much bigger threats than WireLurker.” Imagine, for example, that your banking app gets replaced by an app with an identical user interface. You would never know the difference and would willingly enter your banking credentials.

To see a live demonstration, watch the video below:

You can protect yourself by following these steps:

  • Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
  • Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
  • When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Google Makes Two-Factor Authentication a Seamless No-Brainer

Google has built-on its two-factor system to introduce the feature for iOS users through their Gmail...

Read more arrow_forward

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward