Even normal, non-jailbroken iPhones could now be attacked by a vicious and crafty new piece of malware, according to security researchers at California-based firm, FireEye.
FireEye has pinpointed a vulnerability in Apple’s iOS which could allow an attacker to hoodwink users into accidentally installing a malicious app, which can then compromise personal information and data.
The vulnerability, which was first discovered by FireEye’s mobile security researchers back in July, is found in Apple’s enterprise/ad-hoc provisioning system, which allows developers and businesses to push out updates to their own apps without going through the App Store and its rigorous security screening processes.
The in-house app could display a link indicating an update, but the link could, in fact, lead to a completely different app, which would then install with the end-user being none the wiser to the fact that a switcheroo has taken place.
Worse still, a malicious application could install over the top of a previously installed app, replacing it entirely and accessing information which was saved within the official app, such as login data, emails or banking information.
Check out the video below, where a security expert demonstrates how easy it is for the Gmail app to be replaced with a dodgy version that steals your secret info. The fact that the malware looks and acts just like the real thing is terrifying.
The method of attack used to exploit this vulnerability has been dubbed a ‘Masque Attack’ and researchers at FireEye have been hard at work documenting it. “By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from App Store. Masque Attack has severe security consequences.”
To be vulnerable to this method of attack, the end-user must have installed a provisioning profile on their device. If you’re on iOS 7 or earlier, you can check if you have one installed by going to Settings > General > Profiles , but if you’re on iOS 8 you’ll be out of luck, as they don’t currently show up.
If you do have a provisioning profile on your device, or you’re on iOS 8 (which you most likely are by now, if Apple’s stats are correct), don’t despair: you can follow FireEye’s advice to keep your data and privacy intact.
First, don’t install apps from third-party sources other than Apple’s official App Store or your own organisation.
Also, don’t click “install” on a pop-up from a third-party web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker.
When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.