Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Analyzing the Masque Attack that replaces apps with imposters

The September release of Apple's iOS 10 fixed a flaw that was allowing unscrupulous third-parties to replace genuine mobile apps from the App Store with their own malformed, yet seemingly authentic, software programs. However, iPhone users with devices running on iOS 9.3.5 and earlier remain vulnerable to this so called Masque Attack, warned Trend Micro Monday, in a Halloween warning that sounded like a modern-day Stepford Apps or Invasion of the App Snatchers.

The original Masque Attack emerged in 2014, after hackers leveraged a pair of vulnerabilities to pass off unwanted apps as legitimate versions of popular mobile software programs. These fake programs were even signed with enterprise certificates with the same Bundle IDs as the real thing. Apple seemingly fixed this issue with the release of iOS 8.4, until third-party app stores such as China-based Haima found new vulnerabilities that allowed them to override legit apps with their own adware-spiked versions using data inheritance – the passing of various files, permissions and properties from one entity to another.

"This shows that threat actors will analyze patched vulnerabilities and look into all aspects of these to identify any new ways to exploit applications and [operating systems], or even business processes, to attack their victims," said Jon Clay, director of global threat communications, in an email interview with

In a blog post today, Trend Micro detailed this unethical process further, noting that it has observed replacement versions of the apps Pokemon Go, Facebook and Messenger in the wild. Ostensibly, bad actors are modifying the genuine apps by introducing their own versions with identical Bundle IDs, thus tricking the App Store into thinking a more recent iteration of the program is available. The store then moves the settings and data from the older genuine app to the newer fake app, without a vetting or authorization process.  The actors are able to create these identical Bundle IDs in the first place by abusing Apple's code-signing process via a specially designed toolkit.

Trend Micro warned that if a user uninstalls a legitimate app and then later “re-installs” the Masque Attack version of that same app, the malicious app will inherit the original app's privacy protection and permission settings, thus granting the distributors of this app dangerous access to the device-owner's data.

In addition to repackaging real apps with modified versions, these latest Masque Attacks allow bad actors to promulgate malware under the guise of popular applications, change an original app's behavior by replacing its server links with malicious ones, and route legitimate apps to malicious URLs in order to steal user data and credentials, the post continued.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.