Apple has been accused of leaving a critical security flaw unpatched for almost four months – which security specialists fear has already been used by cyber criminals.
Furthermore, the built-in security of mobile device management (MDM) software that is supposed to provide better protection for organisations is also unable to detect the malware.
The flaw, dubbed “Masque”, was reported to Apple on 26 July by security research company FireEye. The company says that it went public on the flaw this week because despite warning Apple about it, nothing had been done. “We have seen proof that this issue started to circulate and we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors,” FireEye said.
The flaw identified by FireEye is being used in conjunction with the “WireLurker” Apple malware revealed by Palo Alto Networks last week, which has already affected as many as 350,000 Apple Mac PCs and iOS-based smartphones and tablet computers. “Masque attacks can pose much bigger threats than WireLurker,” claimed FireEye.
The Masque security flaw enables attackers to steal information, such as bank login and other details from Apple iOS users who download apps from third-party app stores – not Apple’s own security-vetted store. It exploits a failure of iOS to check the legitimacy of a malicious app that displays the same “bundle identifier” as a genuine app that is already on the user’s device.
According to FireEye, as MDM software uses the same mechanism to detect undesirable applications, the security flaw can also evade MDM security scanning.
“The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks,” warned FireEye.
Attackers have been trying to lure unsuspecting Apple users by offering apps that sound similar to legitimate apps, or new versions of popular apps. Once installed, the attackers can steal their banking log-on credentials. The vulnerability affects both jailbroken and non-jailbroken devices running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta. Attacks can mounted both through wireless networks and USB sticks.
According to FireEye, “Masque attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with malware that has an identical user interface.”
However, because of the nature of distribution, most iPhone and iPad users should not be affected as the majority download apps via Apple’s app store.