'Masque Attack' Vulnerability Allows Malicious Third-Party iOS Apps to Masquerade as Legitimate Apps

Just a week after new WireLurker iOS malware surfaced, there's yet another vulnerability in iOS that can potentially be used to install malicious third-party apps. Called Masque Attack for its ability to emulate and replace existing legitimate apps, the flaw was discovered by security research company FireEye.

Masque Attack works by luring users to install an app outside of the iOS App Store, by clicking a phishing link in a text message or email. For example, in a demo video, an SMS message with a link attached was sent with the following text "Hey, check this out, the New Flappy Bird."

Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.


Masque Attack can be used to install fake versions of apps over legitimate App Store versions using iOS enterprise provision profiles, which are used for beta testing or by companies to distribute apps to employees without the need for the official App Store.

As explained in a blog post, as long as both the existing App Store app and the malicious imposter app use the same bundle identifier (a unique identifying number), the fake version will replace the actual app in a way that's very difficult for the user to detect. The hidden malicious app is able to upload email messages, SMS messages, phone calls, and more, which is possible because "iOS doesn't enforce matching certificates for apps with the same bundle identifier."

While the attack cannot replace stock Apple apps like Safari and Mail, it is able to affect apps that have been installed via the App Store, and has the potential to be much more dangerous than other vulnerabilities like WireLurker.

Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.

FireEye has gotten the attack to work on iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta. The company notified Apple about the vulnerability on July 26, but iOS users can protect themselves by not installing apps from third-party sources other than the official App Store, avoiding clicking on "install" popups in SMS messages or third-party websites, and avoiding apps/uninstalling apps that give an "Untrusted App Developer" alert.

iOS 7 users can check to see if they've been the victim of an attack by going to Settings --> General --> Profiles to see what provisioning profiles are installed. iOS 8 devices do not show installed provisioning profiles, making it more difficult to detect an attack.

Popular Stories

Apple One Apps Feature 2

Apple One's Best Plan Now Includes Two More Perks For Free

Monday March 10, 2025 6:40 am PDT by
Apple One allows you to subscribe to up to six Apple services for one discounted monthly price. There are three Apple One tiers: Individual, Family, and Premier. Over the last month, the highest-end ‌Apple One‌ Premier plan has gained two additional perks. Here is what Apple One Premier already included, for $37.95 per month:Apple Music Apple TV+ Apple Arcade Apple News+ Apple Fitness+...
iPhone 16 Pro vs iPhone 17 Air Feature

iPhone 17 Air and 17 Pro Max Allegedly Same Size Apart From Thickness

Friday March 7, 2025 2:45 am PST by
Apple's all-new ultra-thin iPhone 17 Air shares the same dimensions as the iPhone 17 Pro Max, with the only difference being in the thickness of the devices, according to the leaker Ice Universe. Posting to their Weibo account, the Chinese leaker today claimed that the iPhone 17 Air and iPhone 17 Pro Max have identical body length, width, screen size, and bezels. "The only difference is the...
2016 12 inch macbook feature

Apple Introduced Its Most Controversial MacBook 10 Years Ago Today

Sunday March 9, 2025 1:00 am PST by
Apple announced the infamous 12-inch Retina MacBook a decade ago today, an experimental new Mac that was as controversial as it was revolutionary. Apple unveiled the 12-inch MacBook on March 9, 2015, at the "Spring Forward" event in San Francisco, California. The event was primarily focused on the Apple Watch, which was being fully detailed ahead of its launch the following month, so the...
Generic iOS 19 Feature Mock Light

iOS 19 Will Bring Biggest Design Overhaul Since iOS 7

Monday March 10, 2025 12:17 pm PDT by
Apple is planning for a major design overhaul of the iPhone, iPad, and Mac interfaces with the introduction of iOS 19, iPadOS 19, and macOS 16 later this year, reports Bloomberg. The update will "fundamentally change" the look of Apple's operating system, introducing a more consistent cross-platform experience. Apple plans to update the style of icons, menus, apps, windows, and system...
iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Launching Later This Year With These 8 New Features

Tuesday March 4, 2025 3:15 pm PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro's alleged design via Front Page Tech Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone...
iphone 17 mockups idevicehelp

Video Shows iPhone 17 Mockups Based on 'Internal Documents'

Monday March 10, 2025 4:41 am PDT by
YouTuber iDeviceHelp on Friday posted a video that shows off mockups of Apple's forthcoming iPhone 17 models that are purportedly based on "internal documents." We're sharing the video here since it was made in collaboration with leaker Majin Bu, who last month published similar iPhone 17 renders that were widely corroborated by separate leakers with links to Apple's Chinese supply chain....
iphone 17 pro asherdipps

iPhone 17 Pro Max Said to Be Thicker to Accommodate Larger Battery

Friday March 7, 2025 2:47 am PST by
Apple has increased the thickness of the upcoming iPhone 17 Pro Max compared to the current generation iPhone 16 Pro Max, claims the Chinese leaker known as Ice Universe. Apple is said to have increased the depth of the iPhone 17 Pro Max to 8.725mm, up from 8.25mm on the iPhone 16 Pro Max, which would be a 0.475mm difference in thickness. The increase "surely means a larger battery,"...
Apple MacBook Air hero

New MacBook Air Quietly Fixes This Decades-Long Design Oversight

Friday March 7, 2025 6:58 am PST by
In a move that probably won't make headlines but should delight detail-oriented Mac users everywhere, Apple has quietly corrected a 26-year-old design inconsistency on its keyboards. The Mute key, a staple on Mac keyboards since the PowerBook G3 'Lombard' debuted in 1999, has finally received a logical redesign on the new MacBook Air with M4 chip. As spotted by iCulture, the key now displays ...
Apple Intelligence General Feature

Apple Delays Apple Intelligence Siri Features

Friday March 7, 2025 9:35 am PST by
Apple is delaying some of the Apple Intelligence Siri features that it expected to release in iOS 18, an Apple spokesperson said in a statement to Daring Fireball. Apple says that it is going to take longer than expected to roll out the more personalized Siri experience, and that these features will be rolled out "in the coming year.""Siri helps our users find what they need and get things...

Top Rated Comments

Tumbleweed666 Avatar
135 months ago
Once clicked, the link directs to a website, which prompts the user to install an app. The app in the video isn't Flappy Bird, but a malicious version of Gmail that installs directly over the legitimate version of Gmail downloaded from the App Store, making it virtually undetectable.
------------

Any user who downloads an app from an unknown website mentioned in an email, wouldn't detect it if the app was called "I steal your banking data"
Score: 42 Votes (Like | Disagree)
mercuryjones Avatar
135 months ago
So, I have to click a link to install an "app" in an SMS from someone I don't know that takes me to a place that isn't the app store? And, this is considered a huge vulnerability? I mean, I guess that you'll get a few people that will say "Yay! New Flappy Bird! And I didn't have to check the app store for it."
That said, hopefully, Apple will fix this pretty quickly. Maybe in 8.1.1.
Score: 37 Votes (Like | Disagree)
Shlooky Avatar
135 months ago
Moral to the story, never side load :)
Score: 36 Votes (Like | Disagree)
wxman2003 Avatar
135 months ago
So this basically affects stupid people who click on links to sideload apps.
Score: 24 Votes (Like | Disagree)
centauratlas Avatar
135 months ago
...the vulnerability on July 26...

That is a very long time to not have a fix released.
Score: 17 Votes (Like | Disagree)
TheBuffather Avatar
135 months ago
This is a pretty legit vulnerability. Cunning.
Score: 15 Votes (Like | Disagree)