A New iPhone Security Flaw Can Replace Your Apps With Identical Versions Infested With Malware

Masque Attack


A rogue app identitical to Gmail replaces the original Gmail app using the "Masque Attack" vulnverability.

Last week, a piece of malware called "Wirelurker" was discovered to be targeting Apple users in China. Now there's a new threat called "Masque Attack," and this recently-discovered malware is reportedly a "much bigger threat" than Wirelurker, according to 9to5Mac.

Here's what you need to know.

Masque Attack was first discovered by the mobile security research firm FireEye, and it's a major security flaw within Apple's mobile operating system, iOS.Advertisement

Masque Attack allows malicious parties to install duplicate versions of third-party apps on your iPhone or iPad, replacing your original app with theirs, which can access and monitor your data.

Basically, if someone were to take advantage of the Masque Attack vulnerability, all you would need to do on your end would be to click on a notification asking you to install some popular new app like the "New Flappy Bird." And interestingly enough, the exact wording of the pop-up ad could change, too, so attackers could hide the malware-infested apps within downloads and promise something like a Gmail update, or an update to another popular app.

Once you click on the link, and click "Install" on the pop-up ad, and it's over.

So let's say you fall for the trick and you click install, thinking you're simply updating Gmail.

The malicious app will then install itself over your original Gmail app, and you wouldn't even notice the difference. Below, FireEye has shown what this process looks like.Advertisement

Panels A and B show the real Gmail app. After clicking on the pop-up in panel C, the malicious app begins to download over the true Gmail app (panels D, E, and F), with the local data and emails still intact.

If designed to duplicate a banking app like Bank of America or Chase, the malicious app could even record a user's log-in information, gaining access to their accounts.Advertisement

Usually, iOS would stop this from happening. But Masque Attack takes advantage of a hole within iOS that allows apps coded with the same "bundle identifier" to be installed over each other.

"This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier," FireEye said in a blog post. "We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices."

FireEye claims they alerted Apple to the threat of Masque Attack back on July 26, but since the vulnerability continues to exist, FireEye felt the public should know they are at risk.Advertisement

While FireEye's research highlights a major issue in iOS, there are no known attacks so far that take advantage of the Masque Attack vulnverability, though FireEye claims "We have seen proof that this issue started to circulate."

Luckily, there's an easy way to avoid falling victim to Masque Attack: Don't click on any download links messaged to you from people you don't know, and only download apps directly from the App Store.

Since the vulnverability relies on you clicking a pop-up link offering an app download, just make sure you only download apps from Apple's official App Store. The only apps that are totally unaffected by Masque Attack are those that come installed on your iPhone or iPad, like Safari.Advertisement

To see a video demonstration of Masque Attack in action, click here.

We have reached out to Apple for comment and will update this post when we hear back.