US govt issues advice on iOS Masque vulnerability
Cyber-sec departments post alert, protection instructions, following WireLurker discovery
The US government's cyber security experts this week issued an online notice warning Apple users of the recently discovered Masque Attack vulnerability resident in iOS that could allow malicious parties to steal sensitive data.
The National Cybersecurity and Communications Integration Centre and the US Computer Emergency Readiness unit posted the alert following a week in which the first known exploitation of the flaw in the wild was reported by Palo Alto Networks. The campaign, known as WireLurker, mainly affected Chinese Apple users and according to Ryan Olson, intelligence director, Unit 42, Palo Alto Networks, compromised data was limited to address book contacts and messaging IDs.
But "they could just as easily take your Apple ID or do something else that's bad news," he added.
Later, FireEye revealed it had discovered the underlying Masque Attack vulnerability earlier this year, and had informed Apple in July. The flaw taints trusted apps installed on iDevices from the App Store, by tricking users into installing malware disguised as updates, via malicious text messages, emails and Web links. Once the installed malware has hijacked the apps, it has access to a range of sensitive information, including login credentials for services such as email and banking.
Continues on next page>>
"It is a very powerful vulnerability and it is easy to exploit," said Tao Wei, senior staff research scientist, FireEye.
Apple's strict security layers make its OS platforms more difficult to compromise than Android and Windows systems. According to David Richardson, iOS product manager at mobile security firm Lookout, the Masque Attack sidesteps Apple's security by exploiting a toolkit deployed by the Cupertino firm to allow developers to roll out software without having to first upload it to the App Store.
According to the US government's alert bulletin, users can protect themselves by not clicking "Install" on any pop-up messages while surfing the Web. If iOS displays an "Untrusted App Developer" warning, users are advised to click on "Don't Trust" and immediately uninstall the app.
The precise identity and motives of Wirelurker's creators is unknown, but Palo Alto said the infection started in a third-party Chinese apps store, where more than 400 infected apps were downloaded over 350,000 times onto Mac computers, mostly in China.