In December, cybersecurity company FireEye unearthed a bug in the latest version of Apple’s iOS, dubbed “Masque Attack,” that allows malicious apps to replace legitimate apps of the same name, but was unable to point to concrete examples of the exploit in use. The team has since uncovered three derivative attacks — Masque Extension, Manifest Masque, Plugin Masque — and furthermore revealed evidence that the Masque Attack was used to impersonate popular messaging apps.
Updated on 08-06-2015 by Kyle Wiggers: Added details of Masque Attack derivatives and evidence of the exploit in the wild.
As FireEye explained a few months back, the original Masque Attack iOS 7 and 8 allows hackers to install fake apps on iOS devices through email or text messages if the app names matched. As long as the hacker gives the false, infected app the same name as the real one, hackers can infiltrate the device. Of course, iOS users still have to download the app from the text or email, as opposed to going directly to the App Store and searching for the same app.
However, if users install the app using the link provided by the hackers, the malicious version takes over the real app on the user’s iPhone or iPad, where it can then steal the user’s personal information. Even after users restart the phone, the malicious app will still work, said FireEye. “It is a very powerful vulnerability and it is easy to exploit,” FireEye Senior Staff Research Scientist Tao Wei said, according to Reuters.
Another group of researchers from Trend Micro found out that since many iOS apps don’t have encryption, the Masque Attack bug can also target some legitimate apps. Hackers can access sensitive data that isn’t encrypted from legitimate apps that already exist on the phone. Of course, for this to work, users still have to download an app from a link or email, instead of from the App Store. In other words, the Masque Attack still probably won’t affect most users, but it could be bad news for enterprise users who send special, homegrown apps to users.
But the exploits newly discovered by FireEye require no such finagling. Masque Extension takes advantage of iOS 8 app extensions — hooks that allow apps to “talk” to each other, in essence — to gain access to data within other apps. “An attacker can lure a victim to install an in-house app […] and to enable the malicious extension of the […] app on his/her device,” FireEye said.
Other exploits — Manifest Masque and Plugin Masque — allow hackers to hijack users’ apps and connection. Manifest Masque, which was partially patched in iOS 8.4, can render even core apps like Health, Watch, and Apple Pay corrupt and unlaunchable. The potential of Plugin Masque is more worrisome — it poses as a VPN connection and monitors all internet traffic.
Observed in the wild
At the Black Hat hacker conference in Las Vegas, FireEye researchers said the Masque Attack vulnerability was used to install fake messaging apps mimicking third-party messengers like Facebook, WhatsApp, Skype, and others. Additionally, they revealed that customers of Italian surveillance company Hacking Team, the originators of Masque Attack, have been using the exploit for months to surreptitiously monitor iPhones.
Evidence emerged from Hacking Team’s databases, the contents of which were published by a hacker last month. According to internal company e-mails revealed by FireEye, Hacking Team created a mimicry of Apple’s Newstand app capable of downloading 11 additional copycats: malicious versions of WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. The apps recorded chats, messages, photos, and posts.
Thankfully, though, the risk of future infection is low — Hacking Team’s exploit required physical access to the targeted iPhones. Still, FireEye researcher Zhaofeng Chen recommended that iPhone users to “update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.”
Shortly after FireEye revealed the Masque Attack bug, the federal government issued a warning about the vulnerability, according to Reuters. In light of the panic inspired by the government and FireEye’s reports, Apple finally issued a response to the media about the threat posed by Masque Attack. Apple assured iOS users that no one has been affected by the malware yet and it’s just something the researchers discovered. The company touted the built-in security of iOS and assured users that nothing will happen to them as long as they only download apps directly from the App Store.
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
As of this writing, FireEye has confirmed that Masque Attack can affect any device running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, regardless of whether you’ve jailbroken your device. Masque Attack and its derivatives have been partially patched in iOS 8.4, but in the meantime, users are advised to refrain from downloading any apps from sources other than the official App Store and to stop downloading apps from pop ups, emails, Web pages, or other foreign sources.
Updated on 11-21-2014 by Malarie Gokey: Added report from researchers who discovered a greater vulnerability in the Masque Attack bug.
Updated on 11-14-2014 by Malarie Gokey: Added comments from Apple discounting the severity of the threat posed by Masque Attack.