New weakness in the latest editions of Apple’s mobile operating system allows hackers to install applications on iPhones or iPads by sending users an email or text message. This kind of flaw can be used to steal personal data, eavesdrop on communications or even track the user’s physical location using the GPS chip without the user’s consent.
The weakness was found by the security researchers FireEye and was dubbed “Masque”. They revealed that the flaw can take advantage of similar enterprise-focused tools to Wirelurker (as you may know, it is the name of the previous iOS vulnerability which let an attacker use a compromised Mac to install software on iOS devices).
The security researchers explain that before the users can be infected, the hackers must trick them into clicking a link in a text or email, and then accepting to install an application. Normally, an application installed this way would require a security certificate signed by Apple to run on iPhones that have not been jailbroken, and so malicious software can’t get past the gate.
Nevertheless, the latest weakness uses a vulnerability that allows an iOS application with the same file name replace a real one, even though it has a different developer. Users may believe that they are installing some new game, but in fact they would download an app that silently replaces their Gmail app with a fake one. The matter is that the iOs device won’t prevent this from happening because it doesn’t understand the Gmail app has been replaced.
In general, Masque is regarded as an app of the same principle used in the WireLurker attack, but on a bigger scale. The former can replace authentic applications – for example, banking and email apps – which means that the hackers are able to steal users’ banking credentials. Moreover, the malicious software is even able to get access to the original app’s local data, containing cached emails or even login-tokens.
As usual, users will avoid infection if they run apps only from the official App Store or their own company. However, the very existence of the vulnerability poses risks if users can be tricked into accepting the installation anyway. The security experts remind that there would always be a warning to the user, and it’s not something they would normally see in iOS. So, if you carefully read what your device tells you, you can be smart enough to decline installation and get safe from this vulnerability.