‘Masque Attack’ vulnerability could allow attackers to replace legitimate iOS apps with malicious apps to steal data

Apple CEO Tim Cook introduces the IOS 8 operating system during his keynote address at the Worldwide Developers Conference in San Francisco, California

Keeping software safe and secure is a constantly demanding job, but finding bugs like “Masque Attack,” which was recently identified by cybersecurity firm FireEye, is an important task.

According to a blog post published on Monday, November 10, which was first identified by Reuters, cybersecurity firm FireEye has identified a bug that leaves many iOS-based devices prone to a major attack. Masque Attack is a means for someone to gain access to an iOS device through a malevolent application, which has replaced a genuine app installed through the App Store. The researchers found that many applications can be replaced on an iOS device, either through a wireless network or through USB, except proprietary applications from Apple, like Safari.

The researchers also note that this is not a problem only for jailbroken devices, as they tested it through several different versions of iOS, including iOS 7.1.1 up through iOS 8.1, and even with iOS 8.1.1 beta:

In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB.

Masque Attack can use a replaced application to do several different things, namely retrieve information from the user as they insert important information, including email addresses, phone numbers, passwords and more. What’s more, the researches also found that after a genuine application is replaced, the information stored within the original app’s cache is still there, and accessible through the malware-infested app.

The researchers note that the easiest way to stay safe from these types of apps is to only download apps through the App Store.

Recently, another major compromise to iOS and the platform’s apps was found to be targeting Chinese iPhone/iPad users, with an attack known as “WireLurker,” which could also infiltrate iOS-based devices through a USB connection. Soon after, Apple issued a statement reminding users not to download untrusted applications, and to only download apps from a trusted source, like the App Store.

Watch the video of Masque Attack in action below.

[via Reuters; FireEye]