Using 'WireLurker' malware, the attack plays off a vulnerability in third-party app stores to overwrite legitimate apps with malicious ones.
Using 'WireLurker' malware, the attack plays off a vulnerability in third-party app stores to overwrite legitimate apps with malicious ones.

Researchers have discovered a new attack on iOS devices that could allow attackers to unsuspectingly access and steal users' personal and financial information from their app caches.

The “Masque Attack” works off a vulnerability in third-party app stores that, when exploited, allows attackers to replace genuine apps downloaded from the App Store with their own malicious versions, according to a FireEye blog post. Legitimate apps can be written over if they share the same bundle identifiers as the malicious apps.

“This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier, so attackers can use enterprise provisioning/adhoc provisioning apps to replace the original apps from the app store,” Tao Wei, senior research scientist, said in an email to SCMagazine.com

This attack is one of the first to be put together with WireLurker malware, which originally attacked iOS devices through USB.

As compared to that original attack, the Masque version spreads malware directly through the internet and can originate with a phishing text prompting an iOS user to download a new app.

As an example, researchers sent a phishing text to themselves with instructions to check out a new app, as well as a download link. When they clicked on the link to download the app, nothing was installed outright. Rather, their Gmail app was written over with malicious code.

Although the legitimate app was effectively replaced, the malware could still access the original app's local data, which often contain cached emails or login tokens.  Plus, to make the attack even sneakier, the malicious app's design almost exactly copied the original interface, and to succeed, the attacker only needed to use the same bundle identifier as Gmail, or “com.google.Gmail.”

FireEye told Apple about the vulnerability in July; however, a patch has yet to be released. To see if an app is already compromised, iOS 7 users can check the enterprise provisioning profiles installed on their devices.

This attack was verified on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, on both jailbroken and non-jailbroken devices.

As compared to iOS, Android devices do enforce certificate matching.