Vulnerability in iPhones and iPads allows hackers to switch legitimate applications with malicious ones that could grant access to personal information.
Security experts with FireEye report that the flaw, which they have dubbed Masque Attack, makes large amounts of personal data accessible by cyber criminals. To better understand how the vulnerability works, the researchers sent an URL to an iPhone in order to install the new version of a game called “Flappy Bird” and observed the following process: As the user clicks on the link, he is asked to confirm the game installation. Along with the confirmation the user is presented with a malicious version of the Gmail app. This application is installed over the original one, imitating it, so the user is not able to tell the difference. In the same time, the fake app runs background processes, sending information from the user’s mailbox to a server controlled by hackers. The attackers also gain access to the text messages on the compromised device.
The fact that the cyber criminals are able to gain access to SMS messages and email is extremely disturbing because both are used security PIN codes for applications, password reset links, etc.
The flaw is detected on the following iOS versions: 8.11 beta, 8.0, 7.1.2, 7.1.1.
The application’s bundle identifier, which is supposed to be unique for every app, is not being checked by iOS. In case a fraudulent application uses the same bundle identifier a legitimate app does, iOS will not question it. This is relevant also in the cases where the source is different.
A year ago Apple presented the option for IT to provision applications to iOS devices without having to use the Apple App Store. This is the capability exploited by Masque Attack. Only preinstalled apps can resist the attack.
What Can Users Do?
- Install applications only from the Apple App Store.
- Do not click the “Install” button on pop-ups that came from third-party stores.
Users of iOS7 can see if their devices have already been compromised by checking the provisioning profiles in the Settings app for any suspicious entries.