Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Gov't Issues Alert About iOS "Masque Attack" Threat

Posted by timothy on from the that'll-teach-'em dept.

alphadogg writes Three days after security company FireEye warned of an iPhone/iPad threat dubbed "Masque Attack", the U.S. government has issued a warning of its own about this new risk by malicious third-party apps to Apple iOS devices. US-CERT warned: "This attack works by luring users to install an app from a source other than the iOS App Store or their organizations' provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link." Revelations of Masque came on the heels of a related exploit (that also threatens Macs) called WireLurker.

16 of 98 comments (clear)

  1. I don't get it... by XaXXon · · Score: 4, Insightful

    Don't you have to jump through all sorts of hoops to even INTENTIONALLY install an app from an alternate source?

    Seems like it would be hard to do it unintentionally.

    1. Re:I don't get it... by Russ1642 · · Score: 3, Insightful

      You can't stop viruses that are manually installed by ridiculously dumb users unless you have virus scanners, and even then it's hit and miss. I wouldn't even call it an exploit.

    2. Re:I don't get it... by Anonymous Coward · · Score: 5, Informative

      You have to get a link from someone, go somewhere that clearly isn't the apple store, download the app which the phone will warn you about, install the app which the phone will again warn you about and accept enterprise provisioning which the phone will warn you about yet again before the malware can do it's thing?

      This takes real work on the part of the user to do that they don't normally, or ever see. It's a problem that they let a developer overwrite other apps, but in terms of it being a vulnerability? Welcome to dumb users doing stupid shit they've been told not to do the last 30 damned years.

    3. Re:I don't get it... by tlambert · · Score: 4, Informative

      actually, they can put the binaries on any webpage. that's how betas are distributed.
      it's as easy a clicking a link and saying "yes" twice.

      No, you can't. They have to be one of:

      (A) signed by Apple (e.g. anything from the App store)
      (B) a developer signed binary running on a device enrolled under the developer's key as one of a limited number of devices
      (C) enterprise enrolled and signed with the enterprise key

      The exploit takes advantage of pirate App stores in china which require you to accept enterprise enrollment in their enterprise key, and then download binaries from their "App Store" after paying a reduced rate for them (they're pirated) that happen to have had malware installed into the app bundle prior to being signed by the enterprise key belonging to the store (and the store is not checking the apps it puts up for sale, because they are all purchased and then uploaded from jailbroken iPhones).

      So it takes a lot of work, and most of the people at risk from this are in China and basically stealing Apps.

    4. Re:I don't get it... by Rosyna · · Score: 2

      All of those hoops are removed if the app is signed by an Apple 'enterprise deployment' certificate. Someone anyone can get just by asking.

      No, those are all the hoops you have to go through to accept the "enterprise deployment" certificate profile the first time, then accept the app launching the first time. Also, the phone needs to be unlocked to accept any of these dialogs.

      But then Apple can just revoke the cert (which it did for WireLurker) and blacklist the malware on the Mac side (which it also did for WireLurker).

    5. Re:I don't get it... by anethema · · Score: 3, Insightful

      Let's also keep in mind that apple apps ONLY run in a sandbox, and this virus does not break out of it. The worst the app can do is be installed if you don't actually go into it and do stuff.

      The main danger is that the app could masquarade as a legit app like browser/banking etc and maybe trick you into using it.

      But the sheer number of steps needed to install it, then almost crazy foolishly using it afterwards, it isn't much of a threat.

      --


      It's easier to fight for one's principles than to live up to them.
    6. Re:I don't get it... by Aaden42 · · Score: 2

      You also have to enter your phone’s unlock code (assuming you set one) to install the provisioning profile.

      I’d have a *tiny* amount of concern if it was tap-tap-tap-pwn3d, but it’s not something anyone could realistically do accidentally. Do without realizing the impact of it yes, but not “tap the wrong thing and you’re dead”.

      At the point that you’re keying in your phone’s password (something you’d never do when installing a normal Apple app store app, unless your iTunes account & phone use the same password, in which case WTF???), you have to be pretty willfully ignorant OR dead set on installing some l33t p1r4t3 w4r3z to go though all those hoops. If the former, seriously, get a clue. If your das compüterbox is asking you to do something it’s never asked you to do before and you have no idea why, STOP and ask a grown up FFS! (If the latter, enjoy your malware. You earned it!)

      As much as I hate to admit it, this thing actually validates Apple’s original stance that users can’t handle side-loading intelligently. Before the enterprise provisioning program was created, this attack would have been impossible. The only way to run non-Apple signed code would have been with a developer profile which requires each individual phone UDID to be encoded in it with an Apple-imposed maximum of 100 devices. Enterprise provisioning profiles are pretty much exactly equivalent to Android side-loading.

      This is why we can’t have nice things...

    7. Re:I don't get it... by macs4all · · Score: 2

      You Apple apologists are turning me into an iPhobe. Just man up and face the vulns.

      No. The GP is right.

      This is NOT something that ANYONE can install accidently. You have to jump through some serious hoops to make it happen.

    8. Re:I don't get it... by macs4all · · Score: 2

      Yes, you can for sure install untrusted apps on iOS without hacking. I can remember from the top of my head at least three ways. Phones in dev mode (not the problem here), Enterprise certs and beta software distributed through TestFlight.

      I believe that the limit on TestFlight is 100 phones, and those have to be added to a "List".

      Enterprise Certs are easily determinable and Revokable by Apple.

      The system is just about as secure as could reasonably be designed.

  2. false flag? by Noah+Haders · · Score: 3, Interesting

    since when does the govt issue virus alerts? My best guess is that NSA is alarmed by uncrackable iphone encryption, so they're doing everything they can to scare people off their iphones and on to something more easy to control like droid or bby

    1. Re:false flag? by Guy+Harris · · Score: 3, Informative

      since when does the govt issue virus alerts?

      Since at least 2009,, possibly earlier.

  3. Blast from the past by piranha32 · · Score: 5, Funny

    Hi,
        This is an Albanian virus. As you know we are not so technical
        advanced as in the West. We therefore ask you to delete all your
        files on your harddisk manually and send this email to all your
        friends.

        Thanks for helping us,
        The Albanian Hackers

    When I saw it many years ago it looked like a good joke

  4. Re:In other words by mellon · · Score: 2

    Actually in the case of iOS it is substantially better. Application sandboxing makes it a lot harder to get pwned.

  5. Damn! I tried to install this malware... by jnork · · Score: 2

    ...but it's written for iOS 7 and above. Won't run on my 3Gs.

    I feel so left out!

    --
    Cleverly disguised as a responsible adult.
  6. No. by tlambert · · Score: 3, Insightful

    So identical to the Android malware, except there's less of it because iPhones are less popular in China?

    No. Anyone who wants to can put up an Android app store, or sell an android app with malware in it for side-loading onto the Android phone. Android is *much* more vulnerable, depending on who you trust; trust the wrong person/company, and you're compromised.

    To get that enterprise provisioning on your iPhone, you have to give up all other enterprise provisioning and sign up as a device enrolled as an "employee" of that App store, and you do it knowing full well that you're doing it to get pirated apps at a cut rate or free pricetag because you are a criminal.

  7. One valid reason for enterprise side loading... by tlambert · · Score: 2

    Users who steal software deserve to get their devices infected with every piece of malware in existence. A lot of software in the Apple Store is free and most of the rest of it is rather inexpensive. I don’t sympathize even a tiny little bit with anyone who tries desperately hard to get something for nothing and then gets royally ripped off.

    One valid reason for enterprise side loading is if the App is not offered through iTunes in your region. In many cases, it's not offered worldwide, due to all sorts of regulatory restrictions; this is the same as for music you get from iTunes, where the developer wants market segmentation, or the regulators (government, etc.) in a given area wants segmentation or control.

    In those cases, the only way to get the app for your region is to pirate it. For example, in China, as in Russia and the Ukraine, as well as other countries, there are regulations against having strong encryption which does not contain a government back door. In other places, they don't want you to be able to use a particular type of VPN to get around the government firewall which is content based, and media companies don't want you using VPNs to get around regional distribution schemes. As an example, RIAA and MPAA have been trying very hard to get VPNs to be declared illegal, or to declare their actual origin of the their customers, in Australia, the U.K., and elsewhere.

    So there are valid political free speech reasons you might want to do this, and there are commercial unavailability reasons you might want to do this. Both of these are internal grey or black market reasons, while being externally viewed as white or grey market, at worst.

    Not that that's not what's happening here with the prirate app stores in China that are using voluntary enterprise enrollment in order to install pirate copies of apps on peoples iPhones.