Apple fails to patch 'Masque' flaw now in hands of cyber-criminals

News by Tim Ring

A flaw that affects nearly all Apple iOS devices - and which Apple has failed to patch despite knowing about it since July - is now being circulated among cyber-criminals and may have already led to attacks.

The ‘Masque' flaw was spotted by research firm FireEye more than three month ago and reported to Apple on 26 July.

But this Monday FireEye went public on the flaw because “we have seen proof that this issue started to circulate and we consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors.”

FireEye also said that the ‘WireLurker' malware - revealed last week by Palo Alto Networks and said to have infected up to 350,000 Apple Mac and iOS devices - has “started to utilise a limited form of Masque attacks to attack iOS devices through USB”. The firm added: “Masque attacks can pose much bigger threats than WireLurker. “

The Masque vulnerability lets attackers steal banking and other personal information from iOS users who download apps from third-party stores.

It exploits the failure of iOS to check the legitimacy of a malicious app that displays the same ‘bundle identifier' as a genuine app already on the user's device.

This means criminals can lure users to download attractive-sounding apps like ‘New Flappy Bird' which, when installed, replace their banking or other apps and start stealing their money or credentials.

The vulnerability affects both jailbroken and non-jailbroken devices running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta. Attacks can mounted both through wireless networks and USB sticks.

FireEye's blog features a video showing Masque being used to replace a genuine Gmail app with malicious code.

Apple has yet to issue a patch for the problem, and declined to comment to on the case.

FireEye explains: “Masque attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with malware that has identical UI.”

Masque attacks can even steal user data stored by the original genuine app – such as all their past emails, or log-in tokens that would allow a criminal to log in to the user's account directly.

However, the threat only affects people who install apps from unofficial third-party stores, believed to be a small percentage of iOS users.

Yet FireEye's Hui Xue, Tao Wei and Yulong Zhang make this plea to Apple in their blog: “We disclosed this vulnerability to Apple in July. Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”

Jeremy Linden, senior security product manager at Lookout, agreed with FireEye that the Masque flaw is dangerous, as is WireLurker.

He told via email: “Historically, attackers have focused their efforts on Android, given its popularity. Now, as the number of iOS devices has grown, especially in geographies where malware tends to originate, iPhones and iPads have become attractive attack targets as well.

“At the most obvious level, Masque and WireLurker are multi-stage threats that are targeting mobile as a threat vector.

“In the past these types of vulnerabilities involved dropping an app on your phone, but one thing that's new about the Masque attack is that it uses an icon that's already on your phone and replaces the app behind it.

“If you just saw a random banking app on page five of your iPhone, you're not going to be eager to click it and enter your login credentials. But if you're already trusting this icon, you might. [It's] classic social engineering at play.”

But Linden said Masque still only threatens users who ignore Apple's warnings. He told us: “With recent security breaches like Snapchat and iCloud, consumers are becoming increasingly aware of the risk that comes with a mobile-dominant world. The key mitigating factor with Masque is that there will always be a warning to the user, which will look suspicious because it's not something you would normally see in iOS.

“As long as you select ‘don't install', you will be protected from this vulnerability. Unless you know the person that has sent you the app, you should not trust it.”

FireEye says iOS 7 users worried they may have already installed apps through Masque can check for suspicious provisioning profiles on their device, which indicates malware. Go to “Settings - > General -> Profiles” for “PROVISIONING PROFILES”.

The blog post explains: “iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don't show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews