Apple's hard-shelled & unbreachable iOS went under malware attack: meet WireLurker & ''Masque Attack''

“Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices.” security expert Ryan Olson tells the New York Times.

November 2014 may eventually become known as the ‘good ole days’ before iOS malware. That month the U.S. Government Computer Emergency Response Team (CERT) issued a warning to American businesses that iOS malware can be spread by phishing attacks, and that malicious apps may steal login credentials, access data, and monitor users’ devices. The electronic crime underground has begun exploiting iOS mobile devices and will intensify attacks on employees, making dynamic protection against malicious apps critically important.

Introduction

November 2014 will remain in the ''Digital History'' as a crucial point at which users of iPhone & iPad devices for the very first time faced serious malware vulnerabilities and live criminal exploits. These attacks result from criminal abuse of iOS enterprise app distribution and management capabilities. They also have uncovered dangerous exploitation vectors that enterprises

must protect against

On November 13, 2014, the U.S. Government Computer Emergency Response Team (CERT) issued an alert to American businesses and government agencies about the risks of these attacks, warning that:

• enterprise iOS malware can be spread by phishing attacks, and that malicious apps may
• Mimic the original app’s login interface to steal the victim’s login credentials
• Access sensitive data from local data caches
• Perform background monitoring of the user’s device
• Gain root privileges to the iOS device
• Be indistinguishable from a genuine app

The electronic crime underground has already begun exploiting mobile devices, and will intensify attacks on employees, making dynamic protection against malicious apps critical.

WireLurker

On November 5, 2014 Palo Alto Networks released a research report describing a malware application that targets iPhone and iPad users, called WireLurker. This criminal enterprise was fully operational for 6 months and was not detected by Apple until the report was published. Meanwhile, more than 350,000 devices & 450 Mac OS X applications were infected.

WireLurker attacks mobile devices by tricking the user into installing a malicious OS X application on their Macintosh computers. This application then infects the user’s iOS device when it is plugged into the computer for backup or charging. The malicious OS X application installs an enterprise provisioning certificate on the iOS device. This enables mobile apps of third parties to be installed without going through Apple’s App Store. In such a way during this period of time over 450 versions of this Mac OS X application were distributed.

A version of the WireLurker client has also been discovered on Windows machines, infecting iOS users who backup or charge their devices on Windows computers.

Apple’s Response to WireLurker

On November 6, a day after publication of Palo Alto Networks’ report, Apple revoked the original enterprise certificate used by hackers to publish their malicious iOS apps, preventing the malware from being spread any further. The Mac OS X software that pushed those apps was added to Apple’s blacklist, and can no longer run on OS X. Also the company had provided an access to the tool to detect the WireLurker malware family on OS X: https://github.com/PaloAltoNetworks-BD/WireLurkerDetector

Apple instantly removed this single instance of WireLurker and the 450 Mac OS X applications that spread a malicious malware. Though the corporation has in no way prevented future versions of this malware from infecting computers. This can be done with smuggling different false enterprise certificates or new versions of the WireLurker Mac OS application software. Moreover, it doesn’t protect iPhone and iPad users who sync to Windows computers from running WireLurker malicious software on their Pcs.

''Masque Attack''

On November 10, just 5 days after the revelation of the WireLurker consumer malware, FireEye, the network security company, released research about ''Masque Attack'' malware that can be used to target enterprise users of iPhones and iPads. ''Masque Attack'' exploits the same enterprise provisioning mechanism as WireLurker, but exploits a weakness in the iOS operating system that allows legitimate apps to be replaced by malicious facsimiles.

In this way, a user could inadvertently install an app that replaces a legitimate one, and it will have permissions to read any files or caches stored by the legitimate app. For example, replacing an email app like Gmail would allow the attacking app to read a user’s email. Similarly, replacing an enterprise app with a malware version will allow it to read any data stored in the legitimate enterprise app.

Apple’s Response to Masque Attack

On November 13 Apple’s response to the Masque Attack threat was to announce that only users who turned off Apple’s own security controls on iOS would be vulnerable. However, those security controls are simply a dialog box that pops up asking a user if they want to trust an enterprise provisioning certificate. If a user clicks “Yes,” then the user’s iOS device can have malicious apps installed at the whim of an attacker. These apps can replace legitimate apps and read stored files and data.

This mechanism is not a bug in iOS. Rather, it is an important facility used by legitimate enterprises to publish their own proprietary apps to their employees’ devices. It has now been abused by criminals, and will continue to be used in ever greater and more targeted ways.

The Entrance of the Criminal Underground into Mobile Malware

Apple’s response illustrates that iOS is entering the “whack-a-mole” era of malware defense, similar to that experienced during the last decade with Pcs.

Enterprise IT and security professionals must understand that the criminal underground has a booming economy buying and selling malware tools & infection services. WireLurker will eventually be reverse-engineered or sold to a broad array of criminals. It may be used to create not just new consumer-focused malware, but malware designed to attack the enterprise. 

Similarly, ''Masque Attack'' is an enterprise-focused malware vector that hackers will use to exploit Apple’s enterprise app store functionality to inject malicious apps onto employee devices, either randomly or in a targeted way.

What This Means for Enterprise Security Professionals

The reality is - it is impossible to educate millions of iPhone and iPad

users to avoid clicking on emails, web pages, or pop-up dialog boxes. The

situation is further more complicated by the propagation of malicious enterprise

and developer certificates through emails, text messages, and web pages.

Virtually every major corporate security breach in the last 3 years has been the result of spear-phishing attacks against targeted employees or consultants. Enterprises need a comprehensive mobile device security solution that monitors, detects, alerts, and remediates advanced persistent threats, malware and riskware. Otherwise, the enterprise's networks, services, and data will be

perpetually at a risk.

A comprehensive mobile device security solution must have:

•A mobile device management solution to enforce policies

•App analysis to automatically examine the behavior of millions of apps

and determine if app behavior poses a risk to enterprise data or access

credentials

•App publisher reputation services to detect if apps on employee devices

are from unknown or non-trusted publishers, or if apps have been

installed using non-trusted enterprise provisioning certificates

•Real-time, collective intelligence from around the world, allowing

detection of new threats as they occur, instead of waiting 6 months for

threats to ''grow in–the-wild'' until detection

Enterprise solutions must provide automated detection and remediation of

the threats from risky apps, malware and targeted attacks. It is impossible for an enterprise or government agency to manually monitor malware attacks. Finally, such a solution must provide the detection, alerting and forensic tools

that enterprise security teams need to assess attacks and risks as they develop.

[Report: What enterprises need to know about new iOS malware]