The vulnerability used in the WireLurker attacks has been uncovered and was reported to Apple in July but has yet to be patched, a researcher at FireEye said.
Today’s disclosure of the Masque attack, which affects iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, revealed that Apple mobile devices are not only exposed over USB as with WireLurker, but can also be taken over remotely via a SMS or email message pointing a victim toward a malicious app.
The vulnerability allows an attacker to swap out a legitimate iOS app with a malicious one without the user’s knowledge. Researcher Tao Wei, a senior staff research scientist at FireEye, said Apple’s enterprise provisioning feature does not enforce matching certificates for apps given identical bundle identifiers. Enterprise provisioning is an Apple developer service that allows enterprise iOS developers to build and distribute iOS apps without having to upload the app to Apple. Attacks can be successful against jailbroken and non-jailbroken devices.
A request for comment from Apple was not returned in time for publication.
Wei said WireLurker, discovered by researchers at Palo Alto Networks, is the only in-the-wild attack exploiting the Masque vulnerability.
“We have seen clues this vulnerability has been circulated, so we had to disclose it,” Wei told Threatpost this morning.
WireLurker made a splash last week. Mac OS X and Windows versions of the malware were discovered, and attacks were limited to China. A popular iOS app store in China, known for hosting pirated apps, was the culprit in the WireLurker attacks. Victims would download Mac OS X apps spiked with WireLurker and once an iOS device connected over USB, the malware would search for applications popular in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If found on the iOS device, WireLurker would extract the app and replace it with a Trojanized version of the same app repackaged with malware.
With Masque, an attacker could replace enterprise-signed apps, overwriting them with malicious apps. For example, a demonstration of an attack shows a Masque exploit replacing a valid Gmail app downloaded from the Apple App Store with a malicious version of the same app that retained the victim’s messages. The victim was lured via SMS to a download, supposedly for a new version of the Flappy Bird game.
“By using the Masque attack, attackers can get all your existing sensitive data on your iPhone,” Wei said.
Attackers would be able to mimic the original app’s log-in interface and steal credentials; this puts not only email and gaming apps at risk, but theoretically, also signed banking apps that would be sent via a backdoor to the attacker. FireEye said that data under the original app’s directory, including local data caches, remained in the malware’s local directory after the swap takes place.
By using an identical bundle identifier, Wei said, the malicious app would elude detection by a mobile device management tool.
“iOS doesn’t check certificates during updating,” Wei said. “Attackers can replace the old app with a fake app.
“Currently there is not MDM API to get the certificate information for each app,” Wei said. “Thus, it is difficult for the MDM to detect such attacks.”
The vulnerability was discovered in July and reported to Apple July 26, Wei said.
“It is a very powerful [vulnerability], but at the same time, it is very easy to exploit,” Wei said. “It can make the enterprise provisioning attack more powerful and more coverage over the victim. It’s easy to exploit and that’s why we are so concerned and why we think users should be warned.”
Both the Mac OS X and Windows versions of WireLurker have been shut down, researchers at Palo Alto and AlienVault said; AlienVault Labs head Jamie Blasco discovered the Windows version. Apple has also revoked a certificate used in the WireLurker attacks.