Security researchers have warned of a security hole in Apple's iOS
devices that could allow attackers to replace legitimate apps with
booby-trapped ones, an exploit that could expose passwords, e-mails, or
other sensitive user data.
The "Masque" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning
to replace banking, e-mail, or other types of legitimate apps already
installed on a targeted phone with a malicious one created by the
adversary. From there, the attacker can use the malicious app to access
sent e-mails, login credential tokens, or other data that belonged to
the legitimate app.
"Masque Attacks can replace authentic apps, such as banking and
e-mail apps, using attacker's malware through the Internet," FireEye
researchers wrote in a blog post published Monday.
"That means the attacker can steal user's banking credentials by
replacing an authentic banking app with an malware that has identical
UI. Surprisingly, the malware can even access the original app's local
data, which wasn't removed when the original app was replaced. These
data may contain cached e-mails or even login-tokens which the malware
can use to log into the user's account directly."
The attack works by presenting a targeted phone with a same sort of
digital certificate large businesses use to install custom apps on
employees' iPhones and iPads, as long as both the legitimate app and the
malicious app use the same bundle identifier. The attack requires some
sort of lure to trick a target into installing the malicious app,
possibly by billing it as an out-of-band update or a follow-on to an
already installed app. Recently, the researchers uncovered evidence the
attacks may be circulating online, they said without elaborating. The
technique doesn't work against iOS preinstalled apps such as Mobile
Safari. FireEye researchers said they reported the vulnerability to
Apple in July.
"By leveraging Masque Attack, an attacker can lure a victim to
install an app with a deceiving name crafted by the attacker (like New Angry Bird),
and the iOS system will use it to replace a legitimate app with the
same bundle identifier," Monday's report stated. "Masque Attack couldn't
replace Apple's own platform apps such as Mobile Safari, but it can
replace apps installed from App Store." From there attackers can:
Mimic the login interface of the replaced app to steal the victims' login credentials
Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data
Install custom programming interfaces not approved by Apple onto victims' phones
Bypass the normal app sandbox architecture built into iOS and
possibly get root access by exploiting known iOS vulnerabilities, such
as those recently targeted by the Pangu team.
FireEye researchers documented the following proof-of-concept example attack:
In one of our experiments, we used an in-house app with a
bundle identifier “com.google.Gmail” with a title “New Flappy Bird.” We
signed this app using an enterprise certificate. When we installed this
app from a website, it replaced the original Gmail app on the phone.
Figure 1 illustrates this process. Figure 1(a) (b) show the genuine
Gmail app installed on the device with 22 unread e-mails. Figure 1(c)
shows that the victim was lured to install an in-house app called “New
Flappy Bird” from a website. Note that “New Flappy Bird” is the title
for this app and the attacker can set it to an arbitrary value when
preparing this app. However, this app has a bundle identifier
“com.google.Gmail”.
After the victim clicks “Install”, Figure 1(d) shows the in-house app
was replacing the original Gmail app during the installation. Figure
1(e) shows that the original Gmail app was replaced by the in-house app.
After installation, when opening the new “Gmail” app, the user will be
automatically logged in with almost the same UI except for a small text
box at the top saying “yes, you are pwned” which we designed to easily
illustrate the attack. Attackers won’t show such courtesy in real world
attacks. Meanwhile, the original authentic Gmail app’s local cached
e-mails, which were stored as clear-text in a sqlite3 database as shown
in Figure 2, are uploaded to a remote server.
Note that Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
Monday's post comes a few days after researchers from Palo Alto Networks uncovered an active malware campaign that also abused enterprise certificates to install unwanted apps on iPhones and iPads.
The FireEye post described WireLurker as a "limited form of Masque
Attacks to attack iOS devices through USB. Masque Attacks can pose much
bigger threats than WireLurker."
The attacks can be prevented by installing only apps that come from
Apple's official App Store. Users who encounter dialogue boxes from
third-party websites asking for permission to update existing apps or
install new ones should be especially suspicious. Users should
immediately uninstall any apps that return an alert saying "Untrusted
App Developer."
No comments:
Post a Comment