Security flaw makes most iPhones, iPads vulnerable to 'app replacement' hack

Security flaw makes most iPhones, iPads vulnerable to 'app replacement' hack

Summary: Researchers are warning genuine apps can be easily replaced with fake apps, which can be used to vacuum up a smartphone user's entire store of data.

SHARE:
IMG_0001
(Image: FireEye)

A security flaw in Apple's mobile operating system can leave iPhones and iPads vulnerable to attacks by cybercriminals, a new report warns.

Security researchers FireEye on Monday detailed a bug in which apps on iOS 7.1.1 and later, including the latest iOS 8 and iOS 8.1 update, can be effectively replaced with fake apps that can be used to install malware or vacuum up a user's data.

The technique, dubbed by the researchers as the "Masque Attack," relies on users clicking on malicious links in emails and text messages which point to pages that contain the app download. These apps are outside the walled garden of Apple's App Store and can replace genuine apps, such as banking or social networking apps.

"This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier," the researchers said on the company's blog. "An attacker can leverage this vulnerability both through wireless networks and USB."

In an interview with Reuters, FireEye senior staff research scientist Tao Wei said word of the flaw began to leak out on specialized security-related forums in October. 

The bug was disclosed to Apple months earlier in July.

The decision to go public was after Palo Alto Networks reportedly uncovered the first in-the-wild campaign to exploit the flaw in Apple's desktop, notebook, and mobile devices, dubbed WireLurker.

FireEye researchers said users should not install apps from sources other than Apple's App Store, or the user's organization — particularly if they are labeled with a "untrusted app developer" warning.

Topics: Security, Apple, Enterprise Software, iOS, iPhone, iPad, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • My uncles step son installed fake app, lost 77 cents and ended family ties

    my uncle's step son's brother in law was exposed as a fake by a fake app my uncle's step son installed that cost him 77 cents only to find put his brother in law was a fake as well as the app he wrote. if only Apple had closed this vulnerability family relations wouldn't have been ruined. Now what are we going to do. :-)
    greywolf7
    • Proprietary software...

      What good are all of those billions of U.S. dollars in cash and cash equivalents in offshore banks doing users of proprietary software?

      As bad as this makes Apple look, at least they didn't take over five (5) years to provide a patch for its supported operating system versions:

      "Microsoft Selective with FASTFAT Driver Patch Deployments"
      http://threatpost.com/microsoft-selective-with-fastfat-driver-patch-deployments/108908
      Rabid Howler Monkey
      • That was pretty desperate

        Sorry but a desperate red herring won't make this problem go away.
        Buster Friendly
      • So what you're saying is that

        it's alright for Apple to take 5 years to fix a flaw like this because someone else took 5 years to fix a different flaw in their software? You are the forgiving kind, aren't you.

        I'm assuming you wouldn't blame Apple at all should you fall victim to this because "well heck, MS took five years to fix some flaw, so all's good between us, Apple!"
        William.Farrel
        • Cute...

          Very toddsbottom3esque. :)
          Rabid Howler Monkey
          • I am honored by the comparison.

            I think? :)
            William.Farrel
  • The Apple God is not all powerful

    Apple has known about this since July and regardless of how many died in the wool, dystopic Apple followers they have it would have been less deceitful to let their customers know from them instead of being informed by a third party.
    The millenniums have no understanding of the concept of facing reality.
    striptaway
    • Oh he is

      But he's just really lazy and apathetic.
      harvey_rabbit
    • Seriously? You get thrown a warning

      about an untrusted developer do you want to install anyway after clicking an email link, and Apple is to blame because, what? They didn't come with a hanky in hand to wipe your nose and hold your hand and give you warm milk and cookies?
      baggins_z
      • Apple builds devices for users without tech savvy

        iOS is clearly built for those who lack tech savvy. Many of their users will just be confused by the warning and have no idea how to proceed. If they are going to lock down the phone, why are they allowing apps do get updated that way?

        The fact that it is the user's fault does not make Apple's blame any less. Otherwise, we would never blame OS makers for any virus problems. We would just blame the users. Apple left the OS vulnerable to this and is once again taking their time fixing a vulnerability.
        DaveJMo
  • Asleep at the wheel...

    The vulnerability was disclosed to Apple in July, 2014. Really?!

    Apparently, Apple learned nothing from the Java-based Flashback attack on OS X a couple of years ago.
    Rabid Howler Monkey
    • Considering the exploit still results

      in an "untrusted developer do you want to install" warning appearing, I would suspect that Apple's triage team correctly assigned this defect a lower priority.
      baggins_z
      • baggins_z: "an "untrusted developer do you want to install" warning"

        I disagree. Apple's ecosystem, including it's walled garden, is everything for many of its iOS device users. It's users should not even be seeing such a warning by default.

        Apple should take a page from Android and create a default iOS setting that disallows installing apps from untrusted developers. Period. No prompt, no installing. If iOS users want to enable the installation of apps from untrusted developers, let them modify the default setting which disallows this behavior.
        Rabid Howler Monkey
  • Further proof that security companies are grasping.

    Yes, it's a flaw. Yes, it was reported several months ago. Yes, MAYBE it should be patched. But considering that at this point, no one has proof that real apps most of the world cares about have been spoofed (yet) then the real issue is this. Apparently one security firm found it and told the vendor. Then another one comes along and lets the cat out of the bag early for their own gain. So the original locator has to now stir the pot.

    I always assumed that a mere mortal could not install a non-Apple-Store app. Those had to be sideloaded via a MDM setup or via jailbreaking. And the "in the wild" example (which is funny, it has another name) is specifically not using Apple's App Store. And then even after that you get a confirmation box. Kinda reminds me of driving around in the wrong part of town with your windows down and yelling out the window looking for drugs. Bad things happen that way. Oh, and before you "mine's better than yours" guys come in, that can happen easily with Android. Only (shocker) Windows Phone is safe now, because the market share is so low no one wants to write software for it. And it doesn't have governments using it like Blackberry.

    And yes, there is a solution that both Apple and Google could apply to their respective OSes. Require a specific certificate and digital signature to allow any app to install, unless you are way too much of a geek to leave things alone and jailbreak or use an alternate root like Cyanogen. That will go over about as well as User Access Control went over on Vista. And it will also slow new apps to a crawl, because each one will have to be vetted before it ends up in the respective App Store.

    Then again, that might not be such a bad thing. How many "Flappy Bird" clones do we need?
    jwspicer
    • No they are not

      "I always assumed that a mere mortal could not install a non-Apple-Store app."

      You assumed wrong. It clearly states users get a valid looking alert out of the blue. They click on the 'OK' and down comes the malware. It works because the malware is using the original good app's certificates, so the device is none the wiser something is wrong.

      So a novice trying to be secure can easily get thier device infected. This alone is a serious problem.

      Also, the vendors perform a vetting process now for new apps in the store. The solution to this should not require a change to that vetting process.

      Your point about the bad guys targting the popular apps and platforms is a valid one. This can ebb and flow, which is why it is important vendors lift thier game and make sure thier products are secure. At the moment vendors are being rewarded by focusing on functionality at the expense of security. It is more difficult to retrofit security than to incorporate it into the original design.
      NZO893
      • They get a valid looking alert

        that says UNTRUSTED DEVELOPER.

        If they click trust after seeing that, well, I don't have a lot of sympathy for them. At some point, you have to expect a certain level of accountability on the part of the individual to not be a total fool.
        baggins_z
    • Using reflection to drop in a bad replacement DLL

      is a decades old malware trick. Apple should have had their code signing able to catch more than the app package.
      Mac_PC_FenceSitter
      • Granted, but this is not an invisible exploit.

        A warning dialog throws, the user has to decide they are going to trust somebody Apple has said is not trustable. At some point, we need to expect at least some level of personal responsibility in this sort of thing.
        baggins_z
  • See, IOS is just another

    toxic hellstew of vulnerabilities. Tim, you said only android was, because someone at zdnet said so.
    drwong
    • Look up stew in the dictionary.

      You need more ingredients to make a stew, toxic or not.
      rfoto