Apple iOS Masque bug under active exploit

Hackers have discovered a way of attacking non-jailbroken iOS devices through the previously disclosed Masque attack, allowing the installation of malware using compromised versions of popular apps. 

The flaw is being actively used against iPhone and iPad users, according to infosec firm FireEye.

FireEye trawled through leaked data from IT security company Hacking Team to find out what kind of hacks the company was deploying.

“FireEye has recently uncovered 11 iOS apps within the Hacking Team's arsenals that utilise Masque Attacks, marking the first instance of targeted iOS malware being used against non-jailbroken iOS devices,” FireEye senior researcher Zhaofeng Chen wrote in a blog post.

The firm said the attack was one of the most advanced it had seen: it weaponised popular apps such as Facebook, WhatsApp, Viber, Google Chrome, Blackberry Messenger, Telegram and Skype, among others, to steal data from users.

According to FireEye, the modified apps came with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. As the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior to iOS 8.1.3.

The attack didn't need users to jailbreak their phones - simply sending an installation link in an email would be enough for the attack to be successful.

The data was slurped up by the attack and sent back to remote servers including voice call recordings in Skype and Wechat, Chrome browser history logs, text messages sent in iMessage, Skype, WhatsApp and Facebook messenger, as well as GPS coordinates, contacts and photos.

The modified apps used the previously discovered “Masque attack”, also used by the WireLurker malware, making it possible to install a hacked app in place of an official one.

The user would be completely unaware that the app had been altered. 

FireEye said all iOS users needed to update their devices to the latest version and pay close attention to how they download apps.

Troy Gill, manager of security research at US-based web security firm AppRiver, said the hack was quite simple in its execution and could be very effective for malicious actors.

“Cybercriminals have traditionally gone where the numbers are so by that token the iOS platform becomes more attractive to them as it gains popularity across the globe,” he said.

“Most of the mobile malware that we have seen to date has been designed to target Android devices and there are two main reasons for this: Android has the largest number of users and the most open platform.

"However, this attack proves once again that no system is immune. When vulnerabilities like this exist in any popular OS and hackers know about them, it is only a matter of time before they are exploited.”

He said the extent of the attack would be partly based on how much bandwidth the attackers put behind the effort (since users need to visit a particular URL in order to exploit this vulnerability) and how many devices are currently in use that are on older, unpatched - prior to 8.1.3 - versions of iOS.

Gill said users should keep their devices up to date with the latest version of the operating system.

“Since vulnerabilities are often discovered and patched, a simple update can determine whether you fall victim or not. Also, every organisation's security training should include reminders about safe browsing and identifying suspicious links,” he said.