Researchers: iOS Bug Allows Malware To Replace Your Phone’s Real Apps

We’ve said it before and we’ll say it again — don’t download apps from third-party sites, or do so at your phone’s peril. Security researchers say they’ve found a particularly sneaky bug in Apple’s iOS that allows hackers to replace real apps with fakes, that can then steal log-in credentials and gain access to a treasure trove of your information.

Security firm FireEye says its mobile security researchers found that an iOS app installed from say, a web site, could replace another real app from the App Store, based solely on the fact that both apps used the same bundle identifier, the company said in a post today.

A bundle identifier, if you didn’t know (and I didn’t), lets iOS and OS X recognize any updates to your app. It’s supposed to be unique to each app, but FireEye says an attacker can replace any app (except those installed by Apple that can’t be removed) with another app’s bundle identifier and sneak in that way.

FireEye says it verified the vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices.

Here’s how it works: A victim might be lured through a web site or scam email with an offer to download an arbitrarily named app, perhaps “New Flappy Bird,” which, once it’s downloaded, replaces a real app like Gmail on your phone, with you none the wiser. The researchers simply used a bundle identifier that’s the same as real Gmail — “com.google.Gmail.”

How can that be? Because iOS doesn’t enforce matching certificates for bundle identifiers, FireEye says. They’re used to sign software updates and prove they come from the source they say they do.

The thing is, the fake app now has access to the local cached files from the original app, allowing attackers to access your sign-in credentials and have their way with all the information in your email or banking accounts. The fake app looks identical to the real app, making it difficult for users to detect.

Researchers named it a “Masque Attack,” and say they notified Apple the vulnerability on July 26. Thus far, it seems Apple hasn’t commented on the findings.

Here’s how iOS users can protect themselves from Masque Attacks, says FireEye:

1. Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization

2. Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker

3. When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately

Masque Attack: All Your iOS Apps Belong to Us [FireEye Blog]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.