Masque Attack: Apple Inc. (AAPL) iPhone iPad Users Under Threat Of A New Sinister Bug


The troubles don’t seem to end for Apple Inc. (NASDAQ:AAPL) iOS 8. The OS version had a flurry of bugs, which forced Apple to come out with an updated iOS 8.0.1. within a week of its release. After the first week of the launch iOS 8 managed to achieve the adoption rate of only 36% as compared to 58% adoption rate for iOS 7 in the same duration since its launch. Despite a slow start, the smashing sales of recently launched iPhone 6 and iPhone 6 Plus have boosted the iOS 8 adoption rate to 52%. But concerns still lurks as the secure ecosystem of Apple is being repeatedly attacked by malwares. Recent news of WireLurker condemning the iOS and Mac devices in the Chinese region raised a lot of questions over the security. Now a similar breach being reported in iOS devices by the FireEye mobile security researchers, which is posing a serious threat for the Apple AppStore users.

What is Masque Attack?

The malware has been named “Masque Attack” as it is replacing the legit and verified apps with a duplicate app. The app, infected with the malware, downloaded from enterprise or ad-hoc provisioning is capable of replacing the original app which has the same bundle identifiers (a unique string used by the system for identifying an app. It lets the OS identify the updates to the app) with the duplicate one. The app generally has a fancy name intended to lure users into downloading it. But the malware seems to be ineffective for iOS pre-installed apps like Mobile Safari, iTunes, iWork etc. The vulnerability identified for iOS 7 and iOS 8 versions exists because Apple has no provision for matching certificates for apps having same bundle identifiers. Similar to the Wire Lurker, Masque Attack can affect devices both jailbroken and otherwise and a device can be infected through a USB or wireless networks.

The level of threat posed by Masque Attack is quite higher than the Wire Lurker, because Masque can be used to steal sensitive information like banking credentials or important emails, by replacing banking or email apps on a device. On installation, the malware can even access the local data of the original app like cached emails log in tokens. These can be used to directly log into the user’s account.

The malware can be used in various ways to incriminate naïve users. The malware can utilize a copied UI of the original app. This can be used to steal user’s identity or valuable credentials used for internet banking. Attackers can access this information sitting at a remote server. Masque Attacks can be used to outflank the app sandbox which is used as a barrier against malicious software.

The MDM or Mobile device Manager in Apple devices fails to identify the imposter as currently there is no such API to obtain the certification for each app. Also, the apps provisioned under the enterprise profiles do not come under the purview of Apple’s review process, mentions the reports. FireEye also conducted an experiment to demonstrate the working of the malware, with an app having a bundle identifier similar to the Gmail app on the phone. In the course of the experiment, Masque Attack replaced the original Gmail app on the device.

Where does Masque Attack hits Apple the most:

When Google Android apps were reportedly hit by malware, much hue and cry was raised by Apple stating free apps were the main reason of the attacks and that Android was gullible to such threats. But in the light of recent incidents the once invincible fort of security which guarded the Apple devices seems to have become impregnable. Apps constitute a major chunk of revenue for Apple and it could be a fatal blow to their economy if the malwares are not checked from flooding the apps. The malware is reportedly affecting the iOS version 8.1.1. which is slated for public release in the near future.

FireEye researchers suggest improving the existing standard of protection to provide powerful interfaces which can prevent attacks from Masque Attack on enterprise users. Some reports claim that such attacks are being reported only by those iPhone and iPad users, who have disabled iOS security intentionally or unintentionally. These malware attacks might just serve as the building blocks of further advanced attacks and Apple should address it as swiftly as possible.

To Top