It looks like that a new security flaw has been discovered that allows attackers to fool unsuspecting users into installing malicious iPhone and iPad apps disguised as new versions of popular apps and games such as Gmail, Angry Birds and more.
Instances of malicious apps with such deceiving names as “New Angry Birdâ€, “New Flappy Bird†and others were mentioned Monday in a report by mobile security research firm FireEye.
The issue stems from an oversight in the design of iOS that allows an iPhone or iPad application installed using enterprise/ad-hoc provisioning to replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.
Thankfully, there is no worries about replacing Apple’s stock apps like Mail or Safari. That’s of little consolation because any app on a user’s device installed from the App Store could be used to prompt tech illiterate users into installing malicious software.
Seen below: a FireEye-provided example of a genuine Gmail app (Figure A and B) being replaced with a malicious version (Figure D, E and F) because the user chose to install a “New Flappy Bird†update through ad-hoc provisioning (Figure C).
Here are the five security implications FireEye singled out:
- Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
- We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
- The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
- As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attackâ€, apps distributed using enterprise provisioning profiles (which we call “EnPublic appsâ€) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
- The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team.
So what should you do ? In order to stay away from these attacks or this security flaw, never install or side-load apps from third-party sources other than the App Store and make sure to avoid tapping the “Install†option a malicious webpage may put up, no matter how attractive app titles might be.
And crucially, if you see an alert warning you of “Untrusted App Developer†when opening an iPhone or iPad app, as shown below, tap on “Don’t Trust†and uninstall the app immediately.
Finally, you are warned !
[FireEye]
