The Masque Attack
OS X/iOS has was the target recently of what has been referred to as "The Masque Attack." This attack tricks victims into installing malicious apps from third-party app stores, such as Cydia (an unofficial iOS app store available to jailbroken iOS devices) and Lima (a browser-based app installer for jailbroken iPhones). This scheme can be particularly threatening to companies that have BYOD (Bring Your Own Device) policies, as it makes it harder for the IT departments to distinguish fake apps from original ones. This attack is also known to bypass the app sandbox and gain access to root privileges by attacking known iOS vulnerabilities.
We have FireEye mobile security researchers to thank for discovering this recent attack, as they discovered back in July that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as both apps used the same bundle identifiers. The genius behind this attack, is that while the app may appear under a different name within the App Store, once installed, it can actually replace the geniuine app without the user ever knowing.
Why is this even possible?
As much as Apple boasts about their technology being immune to attacks and viruses, there exist vulnerabilities within their certificate rules when installing applications. iOS doesn't enforce matching certificates for apps with the same bundle identifer.
This can have a serious impact on users because this can replace genuine, trusted apps on the victim's mobile device. That means that the attacker is able to replace a banking app, email app, etc. and steal banking credentials and other personal information. The malware can even go as far as to access the original app's local data, that could potentially contain login-tokens, which the malware can then use to directly access the user's account.
Beyond a general user, this could be a larger issue for an enterprise or company that distribute apps to their employees. Since these apps are not subject to Apple's review process, the attack can leverage iOS private APIs for stronger, or larger-scale attacks such as background monitoring and mimic iCloud's UI to steal the user's Apple ID and password.
This article was published by Alex Nieves, 11/14/2014.