Hackers Can Use iOS Provisioning Profiles to Install and Mask Malicious Apps as Legitimate

by Istvan Fekete on November 11, 2014

Following reports of the WireLurker iOS malware, here is another reason why iDevice users should think twice about what links they click: security research firm FireEye has uncovered a new vulnerability in iOS that can potentially be used to install malicious third-party applications.

The malware was named Masque Attack because it is able to emulate and replace existing legitimate apps. It works by luring users into installing an app outside the iOS App Store, by clicking on a (phishing) link inserted in an email or text message.

As an example, FireEye used an SMS message with a link attached saying, “Hey, check this out, the New Flappy Bird”.

The link directed the user to a website, which prompted the user to install an app. As the video demonstrates, the app isn’t Flappy Bird, but a malicious version of Gmail that overwrites the legitimate version of Gmail downloaded from the App Store. After the installation process is over, the change is virtually undetectable.

What this means is that Masque Attack can be used to install fake versions of legitimate App Store apps using iOS enterprise provisioning profiles, which are used for beta testing or by companies to distribute apps to employees without the need to direct them to the App Store.

While the iOS provisioning profiles “vulnerability” report isn’t new – there were earlier reports about this vulnerability, but actually this allows limited access to apps – the fact that Masque Attack can replace apps downloaded from the App Store is new. And it follows that it is potentially more dangerous than WireLurker.

FireEye was able to detect the vulnerability on iOS 7.1 and newer, and notified Apple about the issue. Users can protect themselves by not installing apps from third-party sources, and avoiding clicking on install popups in SMS messages or on third-party websites.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: