Masque Attack News: Researchers find new risk in iOS ‘Masque Attack’ bug

In December, cybersecurity company FireEye unearthed a bug in the latest version of Apple’s iOS, dubbed “Masque Attack,” that allows malicious apps to replace legitimate apps of the same name, but was unable to point to concrete examples of the exploit in use. The team has since uncovered three derivative attacks — Masque Extension, Manifest Masque, Plugin Masque — and furthermore revealed evidence that the Masque Attack was used to impersonate popular messaging apps.

Updated on 08-06-2015 by Kyle Wiggers: Added details of Masque Attack derivatives and evidence of the exploit in the wild. 

As FireEye explained a few months back, the original Masque Attack iOS 7 and 8 allows hackers to install fake apps on iOS devices through email or text messages if the app names matched. As long as the hacker gives the false, infected app the same name as the real one, hackers can infiltrate the device. Of course, iOS users still have to download the app from the text or email, as opposed to going directly to the App Store and searching for the same app.

However, if users install the app using the link provided by the hackers, the malicious version takes over the real app on the user’s iPhone or iPad, where it can then steal the user’s personal information. Even after users restart the phone, the malicious app will still work, said FireEye. “It is a very powerful vulnerability and it is easy to exploit,” FireEye Senior Staff Research Scientist Tao Wei said, according to Reuters.

New exploits

Another group of researchers from Trend Micro found out that since many iOS apps don’t have encryption, the Masque Attack bug can also target some legitimate apps. Hackers can access sensitive data that isn’t encrypted from legitimate apps that already exist on the phone. Of course, for this to work, users still have to download an app from a link or email, instead of from the App Store. In other words, the Masque Attack still probably won’t affect most users, but it could be bad news for enterprise users who send special, homegrown apps to users.

But the exploits newly discovered by FireEye require no such finagling.  Masque Extension takes advantage of iOS 8 app extensions — hooks that allow apps to “talk” to each other, in essence — to gain access to data within other apps. “An attacker can lure a victim to install an in-house app […] and to enable the malicious extension of the […] app on his/her device,” FireEye said.

Other exploits — Manifest Masque and Plugin Masque — allow hackers to hijack users’ apps and connection. Manifest Masque, which was partially patched in iOS 8.4, can render even core apps like Health, Watch, and Apple Pay corrupt and unlaunchable. The potential of Plugin Masque is more worrisome — it poses as a VPN connection and monitors all internet traffic.

Observed in the wild

At the Black Hat hacker conference in Las Vegas, FireEye researchers said the Masque Attack vulnerability was used to install fake messaging apps mimicking third-party messengers like Facebook, WhatsApp, Skype, and others. Additionally, they revealed that customers of Italian surveillance company Hacking Team, the originators of Masque Attack, have been using the exploit for months to surreptitiously monitor iPhones.

Evidence emerged from Hacking Team’s databases, the contents of which were published by a hacker last month. According to internal company e-mails revealed by FireEye, Hacking Team created a mimicry of Apple’s Newstand app capable of downloading 11 additional copycats: malicious versions of WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. The apps recorded chats, messages, photos, and posts.

Thankfully, though, the risk of future infection is low — Hacking Team’s exploit required physical access to the targeted iPhones. Still, FireEye researcher Zhaofeng Chen recommended that iPhone users to “update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.”

Shortly after FireEye revealed the Masque Attack bug, the federal government issued a warning about the vulnerability, according to Reuters. In light of the panic inspired by the government and FireEye’s reports, Apple finally issued a response to the media about the threat posed by Masque Attack. Apple assured iOS users that no one has been affected by the malware yet and it’s just something the researchers discovered. The company touted the built-in security of iOS and assured users that nothing will happen to them as long as they only download apps directly from the App Store.

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

As of this writing, FireEye has confirmed that Masque Attack can affect any device running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, regardless of whether you’ve jailbroken your device. Masque Attack and its derivatives have been partially patched in iOS 8.4, but in the meantime, users are advised to refrain from downloading any apps from sources other than the official App Store and to stop downloading apps from pop ups, emails, Web pages, or other foreign sources.


Updated on 11-21-2014 by Malarie Gokey: Added report from researchers who discovered a greater vulnerability in the Masque Attack bug.

Updated on 11-14-2014 by Malarie Gokey: Added comments from Apple discounting the severity of the threat posed by Masque Attack.

Smart Home

The Houzz app now lets you virtually tile your floor with augmented reality

Augmented reality is starting to be a real bonus to apps like Houzz's View in My Room 3D tool, which recently added the ability to measure how a tiled floor might look in your living space.

These parental control apps will help keep your kids' device habits in check

Looking for extra security and monitoring on mobile devices? Take a look at the best parental control apps for limiting time and keeping watch on your child's phone usage and behavior. We have the top options for Android and iOS here.

Need a new tablet? Here are the best iPad deals for April 2019

In the wide world of tablets, Apple is still the king. If you're on team Apple and just can't live without iOS, we've curated an up-to-date list of all of the best iPad deals currently available for April 2018.
Movies & TV

Best new podcasts: The Ballad of Billy Balls, Decomposed, and more

Feel like you’re drowning in podcasts? In this weekly series, we’ll help you pick out the best of the new and returning shows. This week’s picks include a punk love story, disappearing referees, gun court, and intriguing tales from…

Transform into the ultimate leader with our tips and tricks for Civilization 6

Civilization VI offers both series veterans and total newcomers a lot to chew on from the get-go. Here are some essential starting tips to help you master the game's many intricacies.

The OnePlus 7 Pro will have four launch events to celebrate its release

The OnePlus 6T may still be new, but we're already looking ahead to the upcoming OnePlus 7. It will use the Snapdragon 855, and may have a new pop-up front camera, too. Here's everything we know about the OnePlus 7.
Product Review

Screen snags aside, the Galaxy Fold is an exciting step toward a foldable future

Samsung's Galaxy Fold is the company's first foldable phone, with two screens, six cameras, and a dual-cell battery. The phone may be delayed due to display issues, but that doesn't stop us from asking -- what's it like to use?

The best Bluetooth headsets of 2019, from Sennheiser to Jabra

Quality headsets are rare. Here are our picks for the best Bluetooth headsets available, whether you need something modest, cheap, or loaded with features. We highlight the best Bluetooth headsets you can get for different situations.

Samsung begins retrieving all the Galaxy Fold review units

The Samsung Galaxy Fold has arrived, and it goes on sale soon. Folding out from a 4.6-inch display to a tablet-sized 7.3-inch display, this unique device has six cameras, two batteries, and special software to help you use multiple apps.

Common Samsung Galaxy S10, S10 Plus, and S10e problems and how to fix them

Samsung's new Galaxy S10 range is gorgeous and extremely powerful. But they're not perfect, and you may discover some issues with your new phone. Here are some of the most common Galaxy S10 problems and how to fix them.

Michael Kors updates its Sofie smartwatch, but still uses a processor from 2016

Michael Kors announced an update to the Sofie smartwatch, now offering heart rate monitoring, GPS, and NFC support. There's only one problem — the device still offers the Snapdragon Wear 2100 processor.

Capture life in every direction with the best 360 cameras

While 360 cameras are still a new technology, that doesn't mean there's not a few that are worth a look. Whether you want to shoot from the middle or just need a simple, affordable option, here are the best 360 cameras on the market.
Home Theater

The best MP3 players of 2019 cram tons of music into a small package

Want to go for a run, but your phone is weighing you down? Don't sweat it. Can't fit your whole music library on your smartphone? No worries. Check out our list of the best MP3 players, and find one that works for you.

WWDC 2019 Complete Coverage

Apple’s Worldwide Developer Conference is a key tech event each year, and for Apple fans, it will be one of the two best times of 2019 (along with "new iPhone day," of course). For the last few years, Apple has debuted much of its…