Apple said it is not aware of any customers affected by the Masque vulnerability disclosed earlier this week, and made no mention of a timeline when it might release an update patching the security hole.
Masque is a vulnerability in iOS 7.1.1 and up that puts Apple mobile devices at risk to malware such as WireLurker, which swaps out legitimate apps with Trojanized versions of the same app. While WireLurker had some limitations in that it spread from Mac OS X to iOS devices only over USB connections, hackers can also leverage Masque to install malicious apps via a phishing or SMS message.
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore, a website dedicated to Apple news and resources. “We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
Apple’s response certainly doesn’t add a sense of urgency to the threat posed by Masque, one of the few successful intrusions into Apple’s walled garden of security.
“Apple is making a mistake by downplaying this issue rather than focusing on user education. Apple’s customers would be better served by a statement that explains the risks of blindly pressing ‘OK’ on unfamiliar dialog boxes,” said Tripwire researcher Craig Young. “The Masque Attack relies on victims being conditioned to click first and ask questions later; this is very similar to many social engineering based attacks that target Microsoft’s user access controls.”
Researchers at FireEye this week disclosed they’d found the Masque vulnerability used by WireLurker malware which was found on a number of iPhones in China and traced back by researchers at Palo Alto Networks to a Chinese App Store known for pirated software.
Masque allows an attacker to swap out a legitimate iOS app with a malicious one without the user’s knowledge. Researcher Tao Wei, a senior staff research scientist at FireEye, said the problem is that Apple’s enterprise provisioning feature does not enforce matching certificates for apps given identical bundle identifiers.
Enterprise provisioning is an Apple developer service that allows enterprise iOS developers to build and distribute iOS apps without having to upload the app to Apple. Attacks can be successful against jailbroken and non-jailbroken devices.
While Mac OS X and Windows versions of WireLurker were limited to only applications popular in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application, FireEye’s Wei said attackers could also leverage Masque to swap out legitimate iOS apps downloaded from the App Store.
For example, a demonstration of an attack shows a Masque exploit replacing a valid Gmail app downloaded from the Apple App Store with a malicious version of the same app that retained the victim’s messages. The victim was lured via SMS to a download, supposedly for a new version of the Flappy Bird game.
“By using the Masque attack, attackers can get all your existing sensitive data on your iPhone,” Wei said.
Tripwire’s Young said Apple’s lukewarm response puts users who may be under the misconception Mac OS X and iOS are immune to malware at risk.
“While iOS has proven more difficult to exploit due to strict code signing requirements and a locked-down app store, several times in the past that researchers have been able to get malicious software into the Apple app store,” Young said. “All consumers need to apply the same ‘common-sense’ security logic to iOS and OS X systems as they would for Android, Windows, or other platforms.”