Just when you thought it was safe to start downloading apps from the Apple App store again after the exposure of the potentially-malicious Wirelurker malware, it turns out it’s not.
Security firm FireEye recently discovered that Wirelurker has made use of a piece of malware that is still in the wild – and could be more troublesome than previously thought. In short, Masque Attack clones real apps and once you install what you think is genuine, it literally takes over your phone – and there is nothing you can do.
“[Masque Attack] could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari,” FireEye wrote on its blog.
With the recent discovery of Wirelurker, FireEye discovered that it made use of some form of Masque Attack – and that is a real problem.
“After looking into WireLurker, we found that it started to utilise a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet.”
To the layman, a Masque Attack could replace another genuine banking app, and steal the users credentials to make financial transfers.
“That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced.”[Source – FireEye]