“Masque Attack” replaces geniune apps with malware …

November 13, 2014

The US National Cyber ​​Awareness System is warning about the existence of a technique called “Masque Attack” that allows replacing a genuine application installed on an iOS computer with one infected with malware, if a limited set of circumstances is met.

The technique was discovered and described by FireEye Mobile security researchers

FireEye discovered that an iOS application installed using “enterprise / ad-hoc” could replace another genuine application installed through the App Store, as long as both applications use the same package identifier. This malicious application may display an arbitrary title (such as “New FlappyBird”) that entices the user to install it, but by doing so the application may replace another genuine application after installation. All applications can be replaced except pre-installed iOS applications such as “Mobile Safari”.

Demonstration video:

An application installed on an iOS device using this technique can:

  • Mimic the login interface of the original application to steal the victim’s login credentials.
  • Access to confidential data in local data caches.
  • Track user device background.
  • Get root privileges on the iOS device.
  • Posing as a genuine app.

IOS users can protect themselves from “Masque Attack” by following three steps:

  • Do not install applications from sources other than the official Apple App Store or from your own organization.
  • Do not click “Install” from a third party pop-up while viewing a web page.
  • When opening an application, if iOS displays an “Untrusted Developer App” alert warning, click on “Untrusted” and uninstall the application immediately.

More details on “Masque Attack” and mitigation guidance can be found on the FireEye blog.

National Cyber ​​Awareness System: TA14-317A: Apple iOS «Masque Attack» Technique

[+] Videos de nuestro canal de YouTube