Security Flaw in iOS Opens Malware Door for Cyber Crooks

The VAR GUY ^ | 11/12/2014 | DH Kass

[SeekAndFind]

Security provider FireEye (FEYE) is cautioning that an opening in Apple’s (AAPL) iOS leaves most iPhones and iPads vulnerable to hackers attempting to swap installed, trusted applications for rogue software capable of stealing sensitive and confidential information from the user.

FireEye first reported the bug to Apple in late July, dubbing the way it infiltrates iOS 7.1.1 and later devices (including the most recent iOS 8 and iOS 8.1 updates), a “Masque Attack.” The hack requires users first click on a malicious link included in an email or text message that targets the location of the malware download, tricking users into believing the intrusive software is legitimate and part of Apple’s App Store. The malware can replace trusted apps, such as banking or social networking, without the user realizing an intrusion has occurred.

“This in-house app may display an arbitrary title (like 'New Flappy Bird') that lures the user to install it, but the app can replace another genuine app after installation,” using the same bundle identifier, wrote FireEye researchers Hui Xue, Tao Wei and Yulong Zhang in a blog post.

Only apps baked into iOS, such as Mobile Safari, are immune from attack, the researchers said.

“This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier,” FireEye wrote. “We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB.”

Although the Masque Attack is similar to WireLurker, another iOS bug disclosed last week, in its ability to infiltrate a mobile device through USB, it’s far more dangerous, FireEye’s researchers said.

“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB,” FireEye said. “Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with malware that has identical UI.”

FireEye said Apple mobile device users can protect themselves from Masque Attacks by not installing third-party apps, refraining from installing items in a third-party web pop-up and being mindful of iOS app warnings.

[for-q-clinton]

Interesting. Apple defense force swarm to this thread to confuse the idiots that think that Apple is immune from malware.

[RJS1950]

Maybe someone needs to quickly let Rush and the other fanboys know about this. After all, iOS is and has always been so secure. </sarcasm>

[Norm Lenhart]

DO NOT BLASPHEME!

Apple is a conservative company and we should all buy the bestest thing evar! every month to support their conservative outreach to gay and anti christian groups cuZ they’re awesomZ and stuff.

Your security is not important. Get it straight.

[bubbacluck]

If one follows common sense and doesn’t download third party software and doesn’t open unknown links from email they won’t get this virus.

[for-q-clinton]

Tell that to the millions of Windows XP users who complained about viruses...which were all installed by clicking on links and agreeing to install them. All those users went to apple for “More Security”.

[bubbacluck]

Well, yes, there’s that.

[zeugma]

Again, the rule of thumb to be learned here, is to install applications through Apple, not other "vendors".

It's interesting that there have been no threads posted about this threat. "Microsoft Patches OLE Zero Day, Recommends EMET 5.1 Before Applying IE Patches". I imagine that yet another bug already being exploited is not as 'newsworthy' as a theoretical attack against Apple users.

[for-q-clinton]

Again the rule of thumb here is that users are stupid. Look at the millions of Windows XP users who clicked on links and installed malware everyday and then complained about it as if it was Microsoft’s fault. Those users are now using iPhones.

[BullDog108]

FUD ping!

[zeugma]

Again the rule of thumb here is that users are stupid. Look at the millions of Windows XP users who clicked on links and installed malware everyday and then complained about it as if it was Microsoft’s fault. Those users are now using iPhones.

Yeah, I'll agree with you that in general, users are ignorant. Seems to be way of things where technology is involved.

Now, let's look at the difference between what has to happen on these two platforms.

XP:

1) User goes to a website with a maliciuous script. Boom! you're infected.

2) User goes to a website that has a flashy banner enticing the user to click me! User does. boom!  infected user.

IOS:]

1) user goes to a website with a malicious script. (nothing happens)

2) user goes to website with flashy banner enticing the user to click me! User does. IOS informs the user they are downloading from an untrusted source. User agrees to it, and enters their password User now has a file on their disk that they must install by clicking on it. (or perhaps the OS will let install without that step. I don't know) Regardless, the first time you run the app, it again informs you that it is an untrusted app, and asks if you want to run it.

You really want to compare the two?

 

[jacquej]

The OS will not install it automatically. You will get a window asking for the owner “admin” password,. Sensible owners do not tell anyone that password. Without it, no installation takes place.

This keeps the idiotic teens, or other users who have access, from installing stuff without adult/parental permission.

One has to be very dumb to mess up an apple product. But, the apple haters keep on hoping, and spreading misinformation.

[for-q-clinton]

Well windows XP is over 10 years old so it is a little unfair to compare the two but I think it makes the point.

[zeugma]

I expect we’ll see several different variants of this FUD before it finally dies.

[House Atreides]

“...One has to be very dumb to mess up an apple product. But, the apple haters keep on hoping, and spreading misinformation.”
**************************************************************************************************
Yes, they are like moths attracted mindlessly to the light...not comprehending why they fill compelled, they flit to any thread they see on an Apple product and post mindless and unthoughtout FUD. Pity the poor souls infected with Apple Derangement Syndrome.

[zeugma]

Well windows XP is over 10 years old so it is a little unfair to compare the two but I think it makes the point.

I agree that it makes the point quite well. I still have yet to see a drive-by installation on the OSX or IOS that installs without user intervention. The 0-day vulnerability I mentioned above shows people using Microsoft OSes are still getting infected by documents. Kind of astounding, really, that this is still possible in 2014.

[ctdonath2]

The walled garden is not immune to weeds when people bring bagfuls of weed seeds in.

It’s not “immune” from malware: you just have to click thru assorted “Are you sure you want to install this program obtained from an un-trusted source?” warnings initiated by “phishing” emails - to wit, ignore clear warnings against risky behavior. It’s not like any of this malware doesn’t involve wanton stupidity on the part of the user.

But no, you have to go out of your way posting snide “idiots think Apple is immune from malware”.

[ctdonath2]

There’s stupid, and then there’s taking numerous steps to evade active security and wantonly ignore unavoidable warnings ... and then there’s screaming “totalitarian walled garden sux!” when methods to install unreviewed unapproved software are shut down and full security imposed.

[Swordmaker]

This vulnerability has been covered on FreeRepublic in full in. Apple has closed this door which is not much of a threat:

WireLurker, Masque Attack malware only a threat for users who disable Apple's iOS, OS X security

Apple iOS bug makes devices vulnerable to attack: experts

And it basically was a trojan that NO ONE HAS BEEN HIT BY. . . and requires a victim to do some things that no one does anymore. The concatenation of events to exploit this so-called vulnerability, which is just the ability of any device to install an app, including jailbreaking one's iOS device toet hit is absurd. No one is at all threatened by this "vulnerability."

Apple added the OS X trojan variation to xProtect within 24 hours (days ago) and every connected Internet Mac is now protected from it.

To avoid this problem is quite simple

1. Don't turn off the built in security in OS X or iOS.
2. Don't jail break your iOS device!
3. Don’t install apps from third-party sources (untrusted app stores which cannot be done on an unjailbroken iOS device anyway!) other than Apple’s official App Store or the user’s own corporate organization.
4. When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately
5. In other words, Don't be stupid.

This article and others like it are essentially FUD. This is conflating the ability to install apps into a vulnerability and trying to gin up fear, uncertainty, and doubt. FUD PING!.

Apple Security FUD Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

If one follows common sense and doesn’t download third party software and doesn’t open unknown links from email they won’t get this virus.

Even opening links through email cannot get you "infected." An unjailbroken iPhone or iPad cannot download apps from anywhere except Apple's Official App Store.

To get affected by this requires quite a concatenation of events to compromise your iOS device. This is FUD. The user has to really be stupid to fall for any of this. The user has to have deliberately turned OFF his built in security on both iOS and his Mac to get any of this onto his iOS device. . . and then ignored warning alerts after downloading the malicious software from an untrusted site, unless the hacker has invaded his company's corporate IT department and snuck it in there after it was curated by Apple. Not at all likely.