Recent security news alerted iOS users of what’s known as a “masque attack”. iPhone & iPad users have to watch for a new exploit within iOS 7/8 that can steal secure data such as logins, passwords, remote monitoring, and other sensitive data.
The US government themselves, have gone on record alerting the public of this potential risk. The attack in itself is achieved when a hacker gets access to your iOS device via an unauthorized app. This could be installed by methods such as phishing links which look & act like a normal app but once installed begins to gather sensitive data.
Cybersecurity company FireEye was one of the first to identify the exploit via iOS. They went on to say that most common method of phishing comes from emails, web pages, and false text messages with links to said malicious apps. Of course, users who only install apps from the designated app-store are usually safe.
Apple in a statement to iMore responded by saying that their users are protected in that the OS warns users prior to such malicious downloads.
We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple representative said, adding that the company was not aware of its customers actually falling victim to such an attack. “We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.
An actual video of the attack in action has been released via Youtube. They showcase the attack in a situation where users may receive a false message from a friend, internet, etc saying to “check out this app”. Which can be posed as any one of the popular apps in the app-store like “Angry Birds” in this case. After which a malicious & fake Gmail app is installed. Completely replacing the original app.
Through the video you can see how a hacker seeking information, can target a user, and access sensitive data. Monitoring things like inbox, text messages, and more, all in realtime.
Thus the attention in the media, and reason for US government issuing a statement. Now this is nothing new of course, phishing attacks have been around for a long time now, and show no sign of slowing down. However, in conjunction with the exploit in iOS, allowing hackers to gain access to personal data through a fake app is very concerning. The government’s post on the matter illustrates the capabilities many of these malicious apps hold.
An app installed on an iOS device using this technique may:
-Mimic the original app’s login interface to steal the victim’s login credentials.
-Access sensitive data from local data caches.
-Perform background monitoring of the user’s device.
-Gain root privileges to the iOS device.
-Be indistinguishable from a genuine app.
All of this achieved by circumventing Apple’s app-store installation process. Again users who normally install through the native store shouldn’t be worried, however the fact that this is possible outside of that leaves room for trouble. So staying on top of not only the source of your downloads, but phishing scams as well can go a long way in protecting your data. Make sure to only download content from reliable sources, and never open any links that you think are from an unknown source.