By Quinten Plummer
Reiterating a software security firm’s warning to iOS users, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team is asking PC and mobile device users to avoid downloading app outside of Apple’s App Store.
The Masque Attacks exploit a pipeline into iOS, Apple’s mobile operating system, and are being used to install malware that looks and feel just like the authentic apps a user downloads. Apple left the route open so enterprise organizations could roll out apps en masse, but the software exception makes iOS vulnerable.
“This technique takes advantage of a security weakness that allows an untrusted app — with the same ‘bundle identifier’ as that of a legitimate app — to replace the legitimate app on an affected device, while keeping all of the user’s data,” states US CERT.
Both jailbroken and vanilla versions of iOS are vulnerable to Masque attacks. The exploit can be executed on mobile devices running iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta.
iOS’ native apps aren’t vulnerable to being replace by malicious software. Apple protects its apps with digital certificates, though third-party apps don’t require an authentic bundle identifier.
Malware installed via Masque attacks can mimic the appearance of genuine apps, right down to user-interface elements such as logos and logins.
Once installed, the malicious software can monitor a victim’s activities and even steal their credentials. With access to cached data, the malware can even access bank accounts without waiting for the victim to attempt to log in.
The CERT organization is telling iOS users to avoid installing app outside of the App Store and to click “Don’t Trust” whenever iOS displays an “Untrusted App Developer” alert.
FireEye warned the public about the Masque attacks on Nov. 10. The security firm says it spoke to Apple about the issue back in July and saw the recently discovered WireLurker malware using the same vulnerability, which prompted the company to raise the issue again.
“We have seen proofs that this issue started to circulate,” said FireEye. “In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors.”
Masque attacks don’t rely on computer connections, as they occur over wireless networks, according to FireEye.
iOS 7 users can check provisioning profiles against those established by their companies, allowing them to scrutinize their registry of apps for malware. iOS 8 users don’t have that ability, which makes it even more important for them to avoid installing apps outside of the App Store.