Apple iOS flaw lets attackers replace apps with malware

Security researchers have discovered a serious vulnerability in Apple's iOS mobile operating system that allows attackers to easily replace genuine, verified App Store apps on users devices with malware.

FireEye researcher Hui Xue wrote in blog post published overnight that the "Masque Attack" vulnerability means apps on user devices can be swapped out for malware over wireless networks, as well as USB serial connections.

Once installed on users' devices, the malware can take over. Apps installed via Masque Attack can, for example, replace banking programs to steal user credentials. They can also access the original app's local data as this is not removed when it is replaced by the malware.

Xue said the data could be cached emails, SMS texts, login tokens for access to user accounts, and more. 

The vulnerability has come about because of Apple's failure to enforce matching digital certificates for apps that have the same bundle identifier, a unique string that identifiies apps to iOS.

Enterprise provisioning and mobile device management systems cannot distinguish genuine apps from malware as long as they use the same bundle identifier, as there is presently no method to retrieve certificate information for each app, to verify them.

Users are tricked into installing malware through links sent to them via email or SMS messages. Beyond a dialog asking users to confirm that they want to install the app, there's no further warning that a genuine program is being replaced.

FireEye was able to use Masque Attack to create an app called "New Flappy Bird" that replaced the Gmail program, and which was able to access and upload a user's emails to another server. It was also able to monitor SMS and calling information.

The flaw is found in all current versions of iOS, from 7.1.1 to 8.1.1 beta, and FireEye said it has found evidence that malware distributors are starting to deploy apps with Masque Attack.

Only apps from Apple's App Store are vulnerable to the Masque Attack, Xue said. Built-in iOS apps cannot be replaced.

While there is no way currently in iOS to prevent the vulnerability, Xue and FireEye warned users not to install apps from any other souces than Apple's App Store or their own organisations.

Furthermore, users are advised to be wary of any pop ups asking to install apps. If iOS brings up an "untrusted app developer" alert, Xue said to click on the "Don't Trust" button and uninstall the app immediately.

Xue also said that iOS 8 appears to have removed a feature found in the older iOS 7 operating system that allows users to see which provisioning profiles have been installed on their devices, and report or delete suspicious ones. Deleting a provisioning profile prevents enterprise digitally signed apps that rely on it from running.

iOS8, however, does not show which provisoning profiles have been installed on users' devices.

This latest vulnerability appears to have links to the "Wirelurker" malware that Apple started blocking last week. Wirlelurker is a malicious application that started using a limited form of Masque Attacks to compromise iOS devices through USB connections.

Apple was notified of the Masque Attack vulnerability in July this year.