Apple is facing Masque Attack II, a major vulnerability that allows malicious apps to leverage existing, legitimate ones to spread malware. Unlike the first variation of the Masque attack, this iteration includes iOS URL scheme hijacking, which allows it to be propagated directly through the App Store.
FireEye, which also uncovered the original Masque last November, explained that Masque Attack II deliberately defines the same URL schemes used by other apps.
“By crafting and distributing an enterprise-signed malware that registers app URL schemes identical to the ones used by legitimate popular apps, an attacker may hijack legitimate apps’ URL schemes and mimic their UI to carry out phishing attacks, e.g. stealing the login credentials,” explained FireEye researchers in a blog. “iOS doesn’t protect users from this attack because it doesn’t prompt for trust to the user when launching such an enterprise-signed malware for the first time through app URL scheme.”
For instance, one enterprise-signed app that registers the same set of URL schemes on iOS 8.1.3 and earlier versions is able to hijack web links when the user clicks them from the emails in Gmail app, from web pages displayed by Safari or from SMS messages.
Yet, the flaw is deliberate. “Both App Store and iOS treat it as a feature to allow apps from different developers to bear the same URL schemes,” FireEye noted.
The new variant also includes the ability to bypass the iOS prompt for trust, which has been fixed in the recent iOS 8.1.3 security content update. When the user clicks to open an enterprise-signed app for the first time, iOS asks whether the user trusts the signing party. The app won’t launch unless the user chooses “Trust.” Bypassing the prompt for trust gives malicious enterprise-signed apps the leverage to exploit the URL scheme issue silently.
Even though Apple has patched it, as measured by the App Store on Feb. 2, 28% of devices use iOS version 7 or lower, which are still vulnerable. Of the 72% of iOS 8 devices, some are also vulnerable given that iOS 8.1.3 came out in late January 2015.
“App stores, whether from Apple, Google, or Amazon, are quickly becoming platforms unto themselves, and that makes them viable targets for attack,” said Tim Erlin, director of IT security and risk strategy at Tripwire, via email. “This attack leverages a point of trusted interaction that Apple seems to have missed, or assessed incorrectly. It's nearly guaranteed that there are more of these points to exploit. We should expect to see follow- on efforts from attackers and researchers against Apple and others.”