Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.

The "Masque" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.

"Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker's malware through the Internet," FireEye researchers wrote in a blog post published Monday. "That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user's account directly."

The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees' iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn't work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.

"By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier," Monday's report stated. "Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from App Store." From there attackers can:

Mimic the login interface of the replaced app to steal the victims' login credentials





Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data





Install custom programming interfaces not approved by Apple onto victims' phones





Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.

FireEye researchers documented the following proof-of-concept example attack:

In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird.” We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone. Figure 1 illustrates this process. Figure 1(a) (b) show the genuine Gmail app installed on the device with 22 unread e-mails. Figure 1(c) shows that the victim was lured to install an in-house app called “New Flappy Bird” from a website. Note that “New Flappy Bird” is the title for this app and the attacker can set it to an arbitrary value when preparing this app. However, this app has a bundle identifier “com.google.Gmail”. After the victim clicks “Install”, Figure 1(d) shows the in-house app was replacing the original Gmail app during the installation. Figure 1(e) shows that the original Gmail app was replaced by the in-house app. After installation, when opening the new “Gmail” app, the user will be automatically logged in with almost the same UI except for a small text box at the top saying “yes, you are pwned” which we designed to easily illustrate the attack. Attackers won’t show such courtesy in real world attacks. Meanwhile, the original authentic Gmail app’s local cached e-mails, which were stored as clear-text in a sqlite3 database as shown in Figure 2, are uploaded to a remote server. Note that Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.

Monday's post comes a few days after researchers from Palo Alto Networks uncovered an active malware campaign that also abused enterprise certificates to install unwanted apps on iPhones and iPads . The FireEye post described WireLurker as a "limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker."

The attacks can be prevented by installing only apps that come from Apple's official App Store. Users who encounter dialogue boxes from third-party websites asking for permission to update existing apps or install new ones should be especially suspicious. Users should immediately uninstall any apps that return an alert saying "Untrusted App Developer."