Our global Cyber Awareness System focuses now on ‘’Masque Attack’’ targeting iOS Apps.

This time, things are more than sophisticated but highly intrusive and dangerous. Connectikpeople.co, soon #Retinknow recalls that,  FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.

According to FireEye this vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier.

FireEye has verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices.

Connectikpeople.co, soon #Retinknow can also observed that, an attacker can leverage this vulnerability both through wireless networks and USB.

The attacker can steal user's banking credentials by replacing an authentic banking app with a malware that has identical UI. 

To mitigate risks, users and administrators are encouraged to:  

1.     Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization

2.     Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker

3.     When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately

To check whether there are apps already installed through ‘’Masque Attacks’’, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings - > General -> Profiles” for “PROVISIONING PROFILES”.