Just over a week ago, we published an in-depth look at “WireLurker,” one of the most advanced attacks on Mac OS X and iOS devices. WireLurker is the first malware that affects both platforms and introduces on-the-fly repackaging of apps on iOS devices that have and, more importantly, that have not been jailbroken.
Although WireLurker was a dangerous exploit, the more troublesome issue is the vulnerability WireLurker was implementing. Called “Masque Attack,” this threat allows cybercriminals to install fake iOS apps on a victim’s iPhone or iPad by tricking them into tapping links that install malicious apps. This doesn’t bode well for users, as social engineering attacks are getting increasingly hard to distinguish from the real thing.
Masque is designed to make its way onto iOS devices quickly, easily, and silently — and, most importantly, it can do so without a jailbreak in place. That’s because it piggybacks inside apps signed with enterprise certificates, making these apps seem legitimate and verified. Since no jailbreak is needed, virtually any iOS device is at risk, and most users would have no idea that an infection had even occurred.
Masque is unique and and particularly dangerous because it takes advantage of a security flaw in iOS that allows an app to be replaced by another app of same file name – regardless of developer. Essentially, Masque enables attackers to replace genuine apps with malware. But even more concerning is that once a legitimate app has been replaced with a malicious version, the original user data is still there. This means fake banking, password storage or email apps could access all of the sensitive information already on the device, including data from the enterprise.
How do you protect your iOS devices in an era beyond jailbreak? By sticking to the best practices we’ve previously recommended regarding social engineering, especially sticking to only the official Apple App Store, users can minimize their exposure, but this is far from foolproof. Lacoon is designed to detect apps signed with these certificates, alerting users and their organizations when a potentially malicious app is about to be installed on a supported device.