It’s barely been a week since we learned about the WireLurker malware for iOS, and now we have new reports that an even more dangerous iOS malware called "Masque Attack" is in the wild.
"Masque Attack" works much like WireLurker in that it takes advantage of Apple’s enterprise provisioning to bypass other security checks on iOS. This proves that Apple’s banning of the infected WireLurker apps has been mostly ineffective, as expected, and until the company fixes this enterprise provisioning loophole, a whole new class of malware is going to invade iOS devices in the coming months or years.
Unlike WireLurker, though, Masque Attack doesn’t even need to infect the user's PC and then have the user connect to the iOS devices through USB. Instead, it can just infect iPhones or iPads when the user visits a certain infected web page online; then, it prompts the user to install a new app. Once the user clicks to install it, the device is infected.
The new app can replace any application from the user’s device, other than the pre-installed Apple applications. That includes email, banking or any other type of third-party app. If the user introduces his or her login credentials in those apps, that information will be stolen by the malware’s creators. The apps will look identical to the ones they are replacing.
Although FireEye reported the malware to Apple months ago (July 26, to be exact), Apple doesn’t seem to have fixed the loophole yet, and even the latest iOS 8.1.1 beta is vulnerable to it. The researchers said that all iOS versions from iOS 7.0 to iOS 8.1.1 beta are vulnerable to this malware.
What they found surprising is that the infected apps could even get access to data from the original apps. Apple doesn’t seem to have any security measure that prevents other apps, even if similar, from accessing that data.
The FireEye researchers tested the malware themselves with a fake Gmail app that would prompt for a "New Flappy Bird" app, which would surely tempt quite a few users to press "install". No Flappy Bird app would be installed, but instead the Gmail app would be replaced by the fake and infected Gmail replica, which like the original has access to the user's emails.
According to FireEye researchers, to protect yourself against this kind of malware, you need to:
Avoid installing apps that don’t come directly from Apple’s App StoreAvoid clicking “Install” or similar buttons from third-party web pagesUninstall apps for which you get an “Untrusted developer” iOS alert
Even if everyone reading these instructions will follow them religiously, there will still be many more people who don’t and then get infected with malware such as WireLurker or Masque Attack. Apple will need to either eliminate the enterprise provisioning from consumer iPhones and iPads or provide a much more secure interface for these enterprise feature so it becomes much more difficult for these infections to happen in the future.