Apple phone owners beware: a particularly nasty phishing-scam variant researchers call “Masque Attack” can trick unwitting users into installing malicious apps – and worse still, it's no longer a theoretical threat known only to good-guy security researchers. The attack has now been spotted “in the wild.”
Traditional phishing scams involve sending users emails or occasionally text messages which come from hackers or scam artists, but appear – at least at first glance – to come from legitimate businesses or organizations: “This is the IRS. There's been unauthorized activity on your taxpayer account. Please click this link to confirm your password and Social Security number.” “This is your bank. There's something wrong with your savings account. Please click this link to confirm your password....”
Anytime you get such a message, you can safely assume it's not a real missive from your bank, merely a piece of phishing bait that'll hurt you if you bite.
So, where traditional phishing attempts involve fake emails or websites that look real, Masque Attack is the same basic premise — only with fake apps rather than emails. Victims who fall for the bait will download apps that look like the genuine apps for Facebook, Twitter or WhatsApp, except those apps are actually controlled by hackers.
Researchers have known about the Masque Attack vulnerability – the potential possibility that hackers could exploit it by creating malicious fake apps – since at least last November.
But this week the threat potential was realized. As FireEye researcher Zhaofeng Chen noted this week, “We previously have described the threats of Masque Attacks against iOS in a series of blogs [but] Up until now, these attacks had never been seen carried out in the wild.”
Simon Mullis, the global technical lead for FireEye, told Business Insider that “The most recent version of the Masque attack uses a technique called ‘URL Scheme Hijacking.’ The attacker is initially able to bypass the mechanism used by Apple to ensure that a user trusts an app that is being installed.”
If smartphone users browsing the web click on an infected link, the malicious apps can be installed n their devices without their knowledge. The app looks and acts like the real thing – click on a fake “Facebook” app, and it'll take you to Facebook and let you see your Feed, make posts, and take part other Facebook activities. The problem is that it isn't Facebook controlling the app—it's hackers who now have your Facebook password and can watch everything you do there.
The bad apps aren't found on Apple's official App Store, so apps downloaded from there should be safe. FireEye said that in theory, this particular app attack could be used against all mobile operating systems, but in practice FireEye has only seen it used against iPhones.
The best way to protect yourself from Masque Attack is to take all standard anti-phishing precautions – you should never click on or trust a suspicious link. And when you download apps, stick to official app stores rather than third-party sources.
FireEye ended its Masque Attack alert by concluding “We encourage all iOS users to always update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.”