Researcher Put Their Focus on the Masque Attack on OS X/iOS

According to the reports released to public by the researchers working at FireEye on 17 November, Mac OS X and iOS operating systems have threat from Masque Attack, which has already come into existence. This report was published within a gap of a week post the discovery of WireLurker by the Palo Alto Networks.

What is Masque Attack? 

Masque attack can easily utilize a drawback in the operating system of Apple, which allows the user to replace one app by another app, as long as both these apps are using the same bundle identifier. One of the threatening issues is that through this attack, all the preinstalled apps on the operating systems (example Mobile Safari) can be easily replaced.

The duplicate apps will be able to track the local data of the original apps, which includes the login details like user id and password. Through this attack, an attacker can easily login into anyone’s account and make transactions from their bank accounts.

These attacks become more easy, has the iOS usually does not put in force certificate matching for apps that come with the same bundle identifier. FireEye researchers were able to verify and identify the vulnerability on both regular iOS and jailbroken. The regular iOS includes iOS 7.1.1, iOS 7.1.2, iOS 8.0, iOS 8.1, and iOS 8.1.1 beta. Attackers can influence the vulnerability through USB ports and even wireless networks.

According to the blog post of FireEye researchers Tao Wei, Hui Xue and Yulong Zhang, Apple is unable to prevent such attacks due to the existing standard interfaces and protections. They are requesting the Company to develop interfaces that are more powerful and give it to professional security vendors.

This way these vendors will be able to protect their enterprise users from all these advanced attacks. This attack will prompt the users to download malicious apps with new names like for example, the new angry bird.

The users of these operating systems are more susceptible to these attacks when they download any app from third party source or by ignoring the un-trusted app message popping on their phones. Users, who have set the Gatekeeping feature on “Anywhere”, actually nullify their protection.

As per FireEye's researchers, WireLurker utilizes very limited form of the attack when hitting the iOS through USB ports.

According to director of software engineering at Arxan, Joe Abbey, WireLurker will be able to deliver the workload only if the user has installed any un-trusted app on MAC, on the other hand for the Masque attack to occur, the user must have downloaded enterprise-provisioning profile.

Companies who have the BYOD policies are more susceptible to Masque attack. According to Abbey, it is recommended that the owners of BYOD policies disable the provisioning profiles, till Apple comes out with a solution.

Masque attacks and WireLurker are additional examples of highly sophisticated and automated attacks, which are growly rapidly. These attacks highlights that we are in serious need of automotive proactive protection and prevention methods.