US govt issues advice on iOS Masque vulnerability
Cyber-sec departments post alert, protection instructions, following WireLurker discovery
The US government's cyber security experts this week issued an online notice warning Apple users of the recently discovered Masque Attack vulnerability resident in iOS that could allow malicious parties to steal sensitive data.
The National Cybersecurity and Communications Integration Centre and the US Computer Emergency Readiness unit posted the alert following a week in which the first known exploitation of the flaw in the wild was reported by Palo Alto Networks. The campaign, known as WireLurker, mainly affected Chinese Apple users and according to Ryan Olson, intelligence director, Unit 42, Palo Alto Networks, compromised data was limited to address book contacts and messaging IDs.
But "they could just as easily take your Apple ID or do something else that's bad news," he added.
Later, FireEye revealed it had discovered the underlying Masque Attack vulnerability earlier this year, and had informed Apple in July. The flaw taints trusted apps installed on iDevices from the App Store, by tricking users into installing malware disguised as updates, via malicious text messages, emails and Web links. Once the installed malware has hijacked the apps, it has access to a range of sensitive information, including login credentials for services such as email and banking.
Continues on next page>>