New Attack Method Can Hit 95% Of iOS Devices

Masque Attack replaces legit apps with malware using the same bundle identifier names.

The majority of non-jailbroken iOS devices are vulnerable to an attack method that could replace genuine apps with malware through a bit of application-naming skullduggery. Dubbed a Masque Attack by the FireEye researchers who discovered this technique this summer, the attack was described publicly for the first time in a
report today
.
FireEye had previously held details about the attack methods close to the vest to give Apple time to handle a disclosure made to Cupertino at the end of July. But after examining the
WireLurker
malware that hit headlines last week, researchers with FireEye found it was using Masque methods and felt it necessary to shed light on a vulnerability that it says affects 95% of iOS devices.
We consider it urgent to let the public know, since there could be existing attacks that havent been found by security vendors, they wrote in the report.
Masque works by convincing users to download an app with a tricky name and then using that install to replace a legitimate app with the same bundle identifier name. There are a number of attack implications from this method. First of all, attackers could mimic the original apps login interface to steal credentials and upload them remotely. Secondly, the data under the original apps directory remains in the malwares local directory after the switch, allowing for further data theft. Additionally, an attacker can use the Masque Attack to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.
According to FireEye, Masque is particularly dangerous for enterprises for a number of reasons. First of all, apps distributed using enterprise provisioning profiles arent subject to Apples review process.
Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring and mimic iClouds UI to steal the users Apple ID and password, the researchers wrote.
Additionally, Masque is very difficult for enterprises to detect because MDM software cant distinguish malware from legit apps using the same bundle identifier.
This means that attackers can use spear phishing via email or text message to conduct targeted attacks very effectively against enterprise users, Tao Wei, senior research scientist at FireEye, told Dark Reading. Because MDM software cannot detect this attack, and until Apple releases a fix for this vulnerability, organizations must educate their employees on the threat spear phishing now poses to their non-jailbroken iOS devices.
Because an attacker can run arbitrary code on the iOS device, malware using the Masque Attack can serve as a stepping stone into the corporate network, Wei warns. For example, the attacker can potentially harvest email and SMS, which may have two-step login tokens, to get further access to more privileged contents.
FireEye recommends that organizations warn users to protect themselves three ways. One, users shouldnt install apps from third-party sources other than Apples official store or an enterprise app store. Two, users shouldnt click on install buttons on a pop-up from third-party web pages. Three, if iOS shows an alert with an Untrusted App Developer warning, users should click Dont Trust and uninstall the app immediately.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Attack Method Can Hit 95% Of iOS Devices