Malware Alert: Beware the Apple iOS “Masque Attack”

iPhone users:  do you want the new version of Angry Birds?

Of course you do – and malware developers are banking on that. But your desire for app updates and your trusting nature might lead you to a world of trouble.

What is the Masque Attack?

Earlier this year, security firm FireEye discovered a significant vulnerability in Apple’s iOS that allows for malware to be installed by unsuspecting users, simply by allowing a third-party app to update their phone or tablet. The update is typically triggered by clicking a link provided in an email or SMS (text) message, rather than by updating an app through Apple’s App Store.

ios untrusted app developer

Untrusted App Developer alert on iOS

What versions of iOS are vulnerable to the Masque Attack?

If you are running iOS 7.1.1, 7.1.2, 8.0, 8.1 or 8.1.1 beta, you are vulnerable. It doesn’t matter if you phone is jailbroken on not.

How does the Masque Attack work?

A user may receive an email or SMS (text) message with a link to what appears to be an update on an app. However, if they click that link, what they receive isn’t a legitimate app update, but rather a cleverly disguised piece of malware designed to look exactly like the legitimate app. And while the malware app looks and acts like the legitimate app, it exploits the information contained in your phone… information that can include logins and other personal data.

Now, do you really want that new Angry Birds?

I don’t mean to pick on Angry Birds, since there are any number of apps out there that could potentially be exploited. The problem isn’t actually with the legitimate app. The problem is that iOS does not enforce matching certificates for apps with the same bundle identifier. This allows an untrusted app to replace a legitimate app, just by using the legitimate app’s bundle ID.

Apple’s own iOS platform apps are not affected by this vulnerability. So at least you’re safe in that regard.

How do I avoid the iOS Masque Attack?

Three ways:

  1. Don’t download an app that doesn’t come from the App Store.
  2. Don’t update an app via a link in an email or SMS (text) message.
  3. Uninstall any app that pops up as “Untrusted App Developer” when launched.

In other words, don’t install or update any apps unless they come through the App Store. It’s as simple as that.

Be safe out there!