New 'Masque Attack' iOS phishing vulnerability sideloads apps

On the heels of WireLurker, a new iOS threat has been discovered. This one, called Masque attack, could be a lot more problematic, too. While the previously discovered WireLurker vulnerability required users to be tethered to a Mac before anything nefarious could happen, Masque Attack is one that occurs in-app. Discovered by security research firm FireEye, Masque Attack could pose a much bigger risk to anyone using apps that didn't come pre-loaded on their iPhone, iPod, or iPad.

It works by piggybacking nefarious apps onto a download. You might be prompted to download a new game via an SMS message — a typical phishing scam technique — which would bring these new apps to your device.

The problem is, you wouldn't know the new apps were actually new apps. Via a Dropbox video, linked to below, we see that FireEye was able to force a bootleg Gmail app that mimicked the official app.

Of course, the fix is pretty simple: don't download anything outside of the App Store, and don't click links in texts from sources you don't know. Keep in mind this affects both Jailbroken and stock iOS builds.

Apple has yet to respond to this one, but FireEye says they've made Cupertino well aware of this vulnerability.

Source: FireEye

Via: 9to5Mac