The September release of Apple's iOS 10 fixed a flaw that was allowing unscrupulous third-parties to replace genuine mobile apps from the App Store with their own malformed, yet seemingly authentic, software programs. However, iPhone users with devices running on iOS 9.3.5 and earlier remain vulnerable to this so called Masque Attack, warned Trend Micro Monday, in a Halloween warning that sounded like a modern-day Stepford Apps or Invasion of the App Snatchers.
The original Masque Attack emerged in 2014, after hackers leveraged a pair of vulnerabilities to pass off unwanted apps as legitimate versions of popular mobile software programs. These fake programs were even signed with enterprise certificates with the same Bundle IDs as the real thing. Apple seemingly fixed this issue with the release of iOS 8.4, until third-party app stores such as China-based Haima found new vulnerabilities that allowed them to override legit apps with their own adware-spiked versions using data inheritance – the passing of various files, permissions and properties from one entity to another.
"This shows that threat actors will analyze patched vulnerabilities and look into all aspects of these to identify any new ways to exploit applications and [operating systems], or even business processes, to attack their victims," said Jon Clay, director of global threat communications, in an email interview with SCMagazine.com.
In a blog post today, Trend Micro detailed this unethical process further, noting that it has observed replacement versions of the apps Pokemon Go, Facebook and Messenger in the wild. Ostensibly, bad actors are modifying the genuine apps by introducing their own versions with identical Bundle IDs, thus tricking the App Store into thinking a more recent iteration of the program is available. The store then moves the settings and data from the older genuine app to the newer fake app, without a vetting or authorization process. The actors are able to create these identical Bundle IDs in the first place by abusing Apple's code-signing process via a specially designed toolkit.
Trend Micro warned that if a user uninstalls a legitimate app and then later “re-installs” the Masque Attack version of that same app, the malicious app will inherit the original app's privacy protection and permission settings, thus granting the distributors of this app dangerous access to the device-owner's data.
In addition to repackaging real apps with modified versions, these latest Masque Attacks allow bad actors to promulgate malware under the guise of popular applications, change an original app's behavior by replacing its server links with malicious ones, and route legitimate apps to malicious URLs in order to steal user data and credentials, the post continued.