Skip to main content

Masque Attack News: Researchers find new risk in iOS ‘Masque Attack’ bug

In December, cybersecurity company FireEye unearthed a bug in the latest version of Apple’s iOS, dubbed “Masque Attack,” that allows malicious apps to replace legitimate apps of the same name, but was unable to point to concrete examples of the exploit in use. The team has since uncovered three derivative attacks — Masque Extension, Manifest Masque, Plugin Masque — and furthermore revealed evidence that the Masque Attack was used to impersonate popular messaging apps.

Updated on 08-06-2015 by Kyle Wiggers: Added details of Masque Attack derivatives and evidence of the exploit in the wild. 

As FireEye explained a few months back, the original Masque Attack iOS 7 and 8 allows hackers to install fake apps on iOS devices through email or text messages if the app names matched. As long as the hacker gives the false, infected app the same name as the real one, hackers can infiltrate the device. Of course, iOS users still have to download the app from the text or email, as opposed to going directly to the App Store and searching for the same app.

However, if users install the app using the link provided by the hackers, the malicious version takes over the real app on the user’s iPhone or iPad, where it can then steal the user’s personal information. Even after users restart the phone, the malicious app will still work, said FireEye. “It is a very powerful vulnerability and it is easy to exploit,” FireEye Senior Staff Research Scientist Tao Wei said, according to Reuters.

New exploits

Another group of researchers from Trend Micro found out that since many iOS apps don’t have encryption, the Masque Attack bug can also target some legitimate apps. Hackers can access sensitive data that isn’t encrypted from legitimate apps that already exist on the phone. Of course, for this to work, users still have to download an app from a link or email, instead of from the App Store. In other words, the Masque Attack still probably won’t affect most users, but it could be bad news for enterprise users who send special, homegrown apps to users.

But the exploits newly discovered by FireEye require no such finagling.  Masque Extension takes advantage of iOS 8 app extensions — hooks that allow apps to “talk” to each other, in essence — to gain access to data within other apps. “An attacker can lure a victim to install an in-house app […] and to enable the malicious extension of the […] app on his/her device,” FireEye said.

Other exploits — Manifest Masque and Plugin Masque — allow hackers to hijack users’ apps and connection. Manifest Masque, which was partially patched in iOS 8.4, can render even core apps like Health, Watch, and Apple Pay corrupt and unlaunchable. The potential of Plugin Masque is more worrisome — it poses as a VPN connection and monitors all internet traffic.

Observed in the wild

At the Black Hat hacker conference in Las Vegas, FireEye researchers said the Masque Attack vulnerability was used to install fake messaging apps mimicking third-party messengers like Facebook, WhatsApp, Skype, and others. Additionally, they revealed that customers of Italian surveillance company Hacking Team, the originators of Masque Attack, have been using the exploit for months to surreptitiously monitor iPhones.

Evidence emerged from Hacking Team’s databases, the contents of which were published by a hacker last month. According to internal company e-mails revealed by FireEye, Hacking Team created a mimicry of Apple’s Newstand app capable of downloading 11 additional copycats: malicious versions of WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. The apps recorded chats, messages, photos, and posts.

Thankfully, though, the risk of future infection is low — Hacking Team’s exploit required physical access to the targeted iPhones. Still, FireEye researcher Zhaofeng Chen recommended that iPhone users to “update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.”

Shortly after FireEye revealed the Masque Attack bug, the federal government issued a warning about the vulnerability, according to Reuters. In light of the panic inspired by the government and FireEye’s reports, Apple finally issued a response to the media about the threat posed by Masque Attack. Apple assured iOS users that no one has been affected by the malware yet and it’s just something the researchers discovered. The company touted the built-in security of iOS and assured users that nothing will happen to them as long as they only download apps directly from the App Store.

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

As of this writing, FireEye has confirmed that Masque Attack can affect any device running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, regardless of whether you’ve jailbroken your device. Masque Attack and its derivatives have been partially patched in iOS 8.4, but in the meantime, users are advised to refrain from downloading any apps from sources other than the official App Store and to stop downloading apps from pop ups, emails, Web pages, or other foreign sources.


Updated on 11-21-2014 by Malarie Gokey: Added report from researchers who discovered a greater vulnerability in the Masque Attack bug.

Updated on 11-14-2014 by Malarie Gokey: Added comments from Apple discounting the severity of the threat posed by Masque Attack.

Editors' Recommendations

Malarie Gokey
Former Digital Trends Contributor
As DT's Mobile Editor, Malarie runs the Mobile and Wearables sections, which cover smartphones, tablets, smartwatches, and…
iOS 17 could come with these 6 exciting changes
Someone holding the iPhone 14 Pro Max.

As we get closer and closer to Apple’s Worldwide Developer Conference (WWDC), where we expect the unveiling of the company's  mixed reality headset, the rumors about iOS 17 continue to pile up every day too.

According to a Weibo post from the same user who revealed that the iPhone 14 would come in a yellow color, iOS 17 may bring six big new features. Some of these changes involve the Control Center, lock screen, Apple Music, and App Library.

Read more
One iPhone 14 feature just saved three people’s lives
Person holding iPhone 14 searching for Emergency SOS satellite.

Apple launched its Emergency SOS via Satellite feature with the launch of the iPhone 14, and we're already seeing it save lives. This weekend, three Brigham Young University students were left stranded while exploring the canyons of the San Rafael Swell Recreation area in Utah and used the feature to call for help.

According to KUTV, the students became stranded in deep water during their time canyoneering and were unable to get out for several hours resulting in hypothermic shock to begin setting in. Due to the rural area they were in, the group wasn't able to call for help using regular cellular data. Luckily, Stephen Watts, one of the students, had an iPhone 14 and was able to use the Emergency SOS via Satellite feature to text authorities and share their location with them.

Read more
iPhone Lockdown Mode: how to use the security feature (and why you should)
Lockdown mode for iPhone

Apple takes pride in selling a promise of privacy to its customers, and to a large extent, it lives up to that promise. As cyber criminals devise new ways to target phones, with tools as sophisticated and virtually undetectable as the Pegasus spyware, Apple also keeps fortifying its devices.

One step in that direction is Lockdown Mode, an “extreme” safety measure that was introduced with iOS 16 last year. The feature blocks a lot of vectors through which a zero-click, zero-day spyware like Pegasus finds its way inside a phone. From phone calls and message attachments to shared albums and network profiles, Lockdown Mode limits those risk routes.

Read more