Masque Attack malware a danger to iOS devices
It’s turning out to be a bad week for users of iOS devices. After the disclosure by Palo Alto networks last week of the WireLurker malware, today Fire Eye blog released details of the Masque Attack malware, which is shaping up to be worse than WireLurker.
Like WireLurker, Masque Attack affects jail-broken and non-jail-broken devices. Unlike WireLurker, Masque Attack does not need to be connected to a PC or laptop. Masque Attack is spread when users download (usually via Wi-Fi) an affected application from an enterprise provisioning or an ad-hoc source. Because these sources are not subject to Apple’s stringent requirements, they are more prone to hosting infected applications.
The malware presents itself with a slight variant of a name such as “New Angry Birds”, or “New Flappy Bird”. Once the user downloads the app, it substitutes existing application icons with its own fake icons. The malware can then use these icons to steal user credentials. As an example, attackers have used a bogus iCloud app to steal Apple ids.
Masque Attack has also shown a capability to steal login credentials and other cached data directly from the iOS devices, including banking login ids. The cached data (which also includes emails) can be uploaded to a remote server, according to the blog post.
The method of attack can start out with spear phishing emails. Individuals are targeted with emails containing links to specific applications in the enterprise store. These applications are infected with the malware; once the user downloads them, the iOS device becomes infected.
Other methods of attack are pop-ups from a website, inviting the user to download an application.
There are ways to mitigate the risk of downloading malware. Number one of course is to be wary of emails that contain a link and invite you to download an application. Another method is to only download applications from the Apple store or from the user’s own organisation. Do not click on pop-ups on websites that request that you download software to continue. Finally, if you see a message when installing an app that says that the developer source is not trusted, uninstall the app immediately.
The disclosure last week of WireLurker and today’s exposure of Masque Attack represents a new frontier for iOS users. Attackers are able to target any iOS device, irrespective of whether it is jail-broken or not. Fortunately, there are procedures that, if observed, will greatly reduce the risk of downloading malware.