Original release date: November 13, 2014
Systems Affected
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview
A technique labeled âMasque Attackâ allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.
Description
Masque Attack was discovered and described by FireEye mobile security researchers.[1] This attack works by luring users to install an app from a source other than the iOS App Store or their organizationsâ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link. Â
This technique takes advantage of a security weakness that allows an untrusted appâwith the same âbundle identifierâ as that of a legitimate appâto replace the legitimate app on an affected device, while keeping all of the userâs data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Appleâs own iOS platform apps, such as Mobile Safari, are not vulnerable.
Impact
An app installed on an iOS device using this technique may:
- Mimic the original appâs login interface to steal the victimâs login credentials.
- Access sensitive data from local data caches.
- Perform background monitoring of the userâs device.
- Gain root privileges to the iOS device.
- Be indistinguishable from a genuine app.
Solution
iOS users can protect themselves from Masque Attacks by following three steps:
- Donât install apps from sources other than Appleâs official App Store or your own organization.
- Donât click âInstallâ from a third-party pop-up when viewing a web page.
- When opening an app, if iOS shows an âUntrusted App Developerâ alert, click on âDonât Trustâ and uninstall the app immediately.
Further details on Masque Attack and mitigation guidance can be found on FireEyeâs blog [1]. US-CERT does not endorse or support any particular product or vendor.
References
Revision History
- November 13, 2014: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.