New iOS Threat: ‘Update’ Replaces App with Evil Twin

Mobile-security researchers have identified an iOS security flaw that could replace legitimate Apple Store apps with doppelgangers capable of secretly accessing users' e-mail messages, log-ins, passwords and financial data. The so-called Masque Attacks described by the IT security firm FireEye operate by mimicking the identifiers and interfaces of genuine apps the user has already installed.

In a Monday blog post describing the attack method, FireEye researchers said they first discovered the vulnerability in July, and notified Apple shortly afterward. They added that it was "urgent" to notify the public because "there could be existing attacks that haven't been found by security vendors."

Masque Attacks can be launched entirely over wireless networks without any need for an iPhone to be connected to another device. Current protections and interfaces from Apple do not prevent Masque Attacks, the FireEye researchers said.

Invasion of the App Body-Snatcher

The security flaw that enables Masque Attacks stems from Apple's support for enterprise provisioning, which allows large organizations to develop and deploy custom apps to their employees' devices. Such apps don't receive the same scrutiny from Apple as those from the official Apple Store.

The Masque Attack works by attempting to entice an iPhone user to install a new app or update to an existing app. If the user agrees, the attack proceeds, not only installing the bait app but also replacing a previously installed legitimate app such as Gmail with an identical looking but malicious version of that app.

Once installed, the copycat app can access the original app's local data -- cached e-mails, for example -- and upload sensitive information to a remote server. The "body-snatcher" app goes undetected because it uses the same bundle identifier, an app-specific notation such as "," as the originally installed app.

Take 'Extra Caution'

Until stronger security protections become available, the FireEye...

Comments are closed.