OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Major iOS insecurity!

Published November 11th, 2014 at 7:32 AM EST , modified November 11th, 2014 at 7:34 AM EST

I don’t usually write about iOS security issues here, because, well, there aren’t any! Okay, maybe iOS isn’t really all that rosy, but it’s been pretty secure overall. Malware has existed for iOS for some time, but required jailbreaking the device (ie, hacking it to remove security and allow apps to be installed from sources other than the App Store). Unfortunately, that changed yesterday, as FireEye has announced a method they are calling the “Masque Attack” that can be used to install malware on iOS devices that have not been jailbroken.

MasqueFireEye’s blog post includes a video showing their proof-of-concept malware being installed and then in action. It shows the phone receiving a text message with a link to a supposed “New Flappy Bird” app. The user clicks the link and is taken to a website that offers to install the app, and the user chooses to install it.

At this point, the phone is pwned. Instead of installing the desired game, the GMail app is replaced with a malicious look-alike. This malicious GMail app is shown uploading all of the user’s e-mail messages to a malicious server, giving the hackers behind it access to confidential data.

Worse, the app has access to things that a normal App Store app would not have access to. As an example, the video also shows the app monitoring text messages and uploading them to a server as well.

It’s important to keep in mind that the app in question here is just a “proof of concept,” which means it’s a test app created by FireEye to explore and demonstrate what an attacker could do with this vulnerability. So this is not a look at a piece of real malware. However, FireEye does make a very concerning statement that indicates that they may have spotted malware in the wild using this technique:

We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.

So how does this work? It’s actually quite simple. Apple has provided a means for businesses to create in-house apps that can be installed without having to go through the App Store. This is called “enterprise provisioning,” and this is what the new WireLurker malware takes advantage of, though in a very different manner.

This doesn’t sound so bad… after all, such capability needs to be present. However, the issue goes deeper than just the existence of enterprise provisioning. Apparently, iOS is not properly verifying the cryptographic certificates used to sign enterprise apps. This allows a fake app to mimic another app yet still have a valid signature. This is a serious vulnerability in iOS, and one that Apple needs to know about.

Worse, though, it turns out that Apple has known about this for some time. FireEye says that they discovered this issue in July of this year, and notified Apple of the problem on July 26, about three and a half months ago. I can’t pretend that I know what goes on inside Apple and what difficulties they may face in fixing this vulnerability, but it’s certain that this vulnerability gave rise to WireLurker at a minimum, and from the sounds of FireEye’s statements, other malware as well.

Fortunately, there is some good news. Malware using the Masque Attack cannot get installed on your iOS device all by itself. It requires the user to visit a malicious web page and then choose to install the app when the site offers to do so. If you click the Cancel button rather than installing the app, you’re safe.

However, many people will install anything without a care just to get what they think is a cool new game or to see some video. People need to be aware of threats so that they can learn not to engage in such activities. As long as they believe that iOS is invulnerable, and that they can do whatever they like on their iPhones and iPads, they will be at increased risk. Even after Apple fixes the enterprise provisioning system to prevent misbehaviors like this, folks need to exercise caution online… even on iOS.

Tags: , ,

6 Comments

  • Ofelia says:

    Your last paragraph is absolutely true, not just for phones but also for anything else. A lot of times, if you just use your common sense, you can avoid a lot of problems. (This is also true for Oracle and ZeoBIT/Kromtech, who, if they used their common sense, would realize that their products are absolute crap [pardon my French] and stop trying to get them to work.)

  • Treacle4 says:

    Does this explain why in the “Atari Greatest Hits”. iPad app, in app purchases would try and redirect me to external sites with untrusted certificates? Why would Atari do this or has the app been compromised??
    Edit

    • Thomas says:

      This is almost certainly not related to the Masque Attack issue. You would need to contact the maker of that game to find out why that is happening.

    • Robert.Walter says:

      Is that the same Atari app that was offered for free as an aniversary promo but later cancelled/overwritten as soon as the update (which required in app payments to work) came out?

  • Jon says:

    Would this be the reason that for the past couple of weeks I’m now getting ads from AliExpress in Safari, which opens a whole new page for this awful company?! The http address starts with [http://]activities ?! I never opened or started malware knowingly..

This post is more than 90 days old and has been locked. No further comments are allowed.