Apple products are safe, everyone knows that. Viruses and malware are for Windows machines and Android devices but cybercriminals up to this point seem to have been stymied by Apple’s security and left their devices alone. So revered are the Apple operating systems, that in wake of their recent breach, Home Depot has exchanged all their executives’ devices for Apple “new and secure” Apple products (MacBooks and iPhones).
Whether you like Apple’s design aesthetic or believe in their capacity to ignite mobile payments is a matter for debate – but what is nearly universally agreed on is that Apple knows how to build a hard to hack secure product – whether that product be a computer, phone, tablet or payment system.
Or at least, they did.
In the last few weeks a pernicious little piece of malware called “Wirelurker” revealed a chink in Apple’s armor, albeit a small one in this form. Wirelurker was discovered by Palo Alto Security firm Unit 42 last week. It is a pioneer of sorts according to Unit 42, a first of its kind malware for Apple that bypasses security features and installs third party applications on Apple devices, without the user’s permission.
It exploits a loophole is Apple’s protocols by using enterprise/ad-hoc provisioning, which allows large organizations to deploy custom-built software without going through Apple’s App Store (where apps are screened for malware). The malware, once on device, has the ability to replace another genuine app installed through the App Store, as long as both apps use the same bundle identifier.
On its own, the Wireluker reveal was not much a of stunner. Given Apple’s prominence, it comes as no shock to any reasonable person that cyber-criminals would want to crack their OSs like eggs. Moreover, Wireluker is not exactly easy to come by–especially for users in the U.S. That particularly instantiation of malware’s home-base os a third-party Chinese OS X store known as the Maiyadi App Store. Maiyadi has a long and colorful reputation for being a home to all sorts of illegal and pirated software. The odds of a casual user finding themselves shopping on a grey market Chinese software site are fairly low, made lower by the fact that Apple has already moved to patch and contain the Wirelurker bug
But Wireluker is not scary because of what it did, but because of what it is. It is what experts are calling a “Masque Attack” and while it’s the first, no one thinks it’s going to be the last.
Currently, iOS does not enforce match certificates for apps with the same bundle identifier. In practical terms, what that means is an attacker can use any deceptive app title to lure a victim into installing an app that is a Trojan horse stuffed with malware. Once it’s there, iOS system will use whatever was downloaded to replace a real app (as long as both have the same bundle identifier). The fake, which has access to the data from the one it is emulating, looks nearly identical to the real app and can be hard to spot until after it is too late.
On the upside, pre-installed Apple applications are not affected. It is not possible to replace Safari through such an attack. On the downside, once on the device, malware installed through a masque attack can replace anything downloaded through the app store. Like PayPal. Or any banking app.
Wirelurker was a partial Masque Attack, and required USB to fully infect a device. However, at FireEye, they were able to exploit the vulnerability completely over a wireless network, with no plug-in required.
“Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI,” wrote the testers at FireEye.
Users can protect themselves from Masque Attacks primarily by not downloading apps outside the Apple Store, where the apps are screened. Apple will also warn users when they are trying to install an app from an unknown and untrusted app developer. Users are advised to always say “Don’t Trust” and uninstall.
What to see a video of how a Masque Attack works? Check out below