Security research firm FireEye has identified a vulnerability that can allow iOS apps to be replaced by malware versions. Dubbed the “Masque Attack,” the vulnerability uses an existing app’s App Store ID, signed with an enterprise provisioning certificate, to replace the good app with a rogue version. The report explains that although iOS requires that all third-party applications be signed by a valid provisioning certificate, it does not require that the certificate used to sign an app update be the same as the certificate used to sign the original app.
Masque Attack uses a vulnerability similar to the WireLurker exploit revealed last week, leveraging the enterprise distribution system that Apple has provided for companies to distribute in-house apps to their users, however this particular vulnerability goes beyond requiring a USB connection, potentially allowing devices to be infected wirelessly by prompting users to install bogus application updates over-the-air. This could be done by presenting prompts in Safari to encourage users to install an update to an app they may already be using. The prompt need not even match the app actually being delivered, and once the user accepts, the app will be downloaded and replace the legitimate version on the user’s device.
The FireEye report cites examples such as replacing a mobile banking app as a phishing attack to collect login and password information. FireEye notes that the vulnerability still exists in the iOS 8.1.1 beta, and has been identified as far back as iOS 7.1.1.
It is key to mention that this exploit relies heavily on social engineering to encourage the user to install an untrusted app, and that iOS itself provides cues that should raise suspicion, such as asking the user to randomly install an app while they may be engaged in an otherwise unrelated activity such as browsing the web, and requiring that the user explicitly respond to an “Untrusted Developer” notification when installing the app.
