Masque Attack II: Another major flaw has been detected in Apple iOS which can lead to data theft of the enterprise users.Masque II : Hijack of the URL

Masque II : Hijack of the URL

FireEye researchers have noted that Masque Attack II comprises of 2 parts: a) Bypasses Prompt for Trust and, b) URL Scheme Hijacking. Hui Xue and his team of researchers have contended that iOS 8.1.3 is fortified against the “Prompt Bypass” and is still vulnerable against the “iOS URL scheme hijacking”. We will try to understand this in simple terms.

  1. Bypasses Prompt for Trust: Whenever user clicks on any link in SMS or any emails or even in Google Inbox; Apple iOS will launch the target enterprise-signed app without asking for user’s permission. Usually if user downloads a particular app from the App store for the first time then a prompt pops up asking for “Trust” or “Don’t Trust”. In this case since user has clicked for the link through URL scheme, the app will be directly downloaded without the prompt. In the cases that FireEye studied, even though user had earlier clearly said “Don’t Trust” to some untrusted app, iOS ignored the prompt and downloaded the app. Fire Eye has brought this issue to the notice of Apple. 2) URL Scheme Hijacking: This is more of a feature issue than the malware attack. It was seen that Apple iOS allows apps from different developers to share the same URL schemes. Again as per the researchers at FireEye: “Attackers can either publish an “aggressive” app into the App Store, or craft and distribute an enterprise-signed/ad-hoc malware that registers app URL schemes identical to the ones of legitimate popular apps. Through this, attackers can mimic a legitimate app’s UI to carry out phishing attacks to steal login credentials or gather data intended to be shared between two trusted apps.” Now this in simplified terms means that the users may end up downloading malicious app as per hijackers intention instead of the legitimate one which may than steal personal and financial information of the iPhone/iPad user. According to the FireEye team  of Messieurs Hui Xue, Zhaofeng Chen, Song Jin, Yulong Zhang and Tao Wei, iPhone and iPad users need to be more careful against the Masque Attack II as it has not been mitigated yet. Probable remedy suggested to the Apple iOS users :

Update their device to 8.1.3 version ASAP Whenever users get any link in SMS or Emails or some website then be careful as it may download malwares.

FireEye says it disclosed the vulnerability publicly as Apple chose to ignore their private disclosure. You can see the Proof-of-Concept video below :