Google Search

Custom Search

Sunday, 16 November 2014

US Gov issue security alert for iOS - "Masque Attack" Technique

US Government Department of Homeland security through its US-CERT (Computer emergency readiness team) issue a warning on 13th November regarding a technique labeled "Masque Attack" that allow an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

This technique can be applied and affected systems running iOS 7.11, 7.12, 8.0, 8.1 and 8.1.1 Beta and that would actually means almost the majority of currently running iphones and ipads.

Alert TA14-317A describe it as ;

"Masque Attack was discovered and described by FireEye mobile security researchers. This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link. 

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable."

Malware that installed itself using this technique would have the elevated rights as what the apps it replaces and would request more rights from the user and usually would be granted by an unknowing user. The Malware also would mimic the original apps in its behaviour such as its interface to steal user credentials such as login and paswords.

Once the malware installed itself, the malware could access sensitive data from the local cache such as stored credential and payment information. The malware also would be able to monitor the users usage behaviour and capture it.

As the Malware installed using this technique are essentially trusted by the user, any privileges request would normally approved by the unknowing user thus might gave the malware a full system wide access to all the information in the compromised iOS system.

US-CERT advise all iOS users to follow these 3 steps to protect themselves.  

  1. Don't install apps from sources other than Apple's official App Store or your own organization
  2. Dont't click install from a third party pop-up when viewing a web page 
  3. When opening an app, if iOS shown as "Untrusted App Developer" alert, click on "Don't Trust" and uninstall the app immediately
For further detail of this advisory, you can read further from the US-CERT website or from FireEye's blog.

Source : US-CERT 

No comments:

Post a Comment