There have been reports of a new iOS attack called 'Masque' which has been called 'bigger than WireLurker'. Commenting on this, Deepen Desai, head of security research at Zscaler, said:
"WireLurker is a hybrid malware family that targets both Mac OSX as well as Windows users with a malicious binary first and then further propagates to the iOS devices attached to the infected systems via USB connection. It is able to propagate to the iOS device by leveraging enterprise provisioning profiles, when enabled to bypass other iOS security checks, or if the device is jailbroken.
WireLurker has been found using the Masque exploit where it is possible to install a malicious app masquerading as a legitimate app by using the same bundle identifier string. The malicious app will completely replace the legitimate app and will also have access to the cached data as well as cached login tokens.
The attacker can leverage Masque exploit to directly target the iOS device over the internet and does not require infecting the user systems. A simple SMS message or a popup with a link to a malicious app hosting site will prompt the user to install the app. The attacker will use social engineering tactics in naming the app, making it more likely for the end user to allow the install.
While both WireLurker and Masque attacks target the iOS devices, I consider both of them different threat families. WireLurker targets the user computers first and that enables it to employ a wide variety of other malicious features in addition to targeting iOS devices. It also improves the success rate for infection especially considering there are many sophisticated vectors like cybercrime exploit kits, malvertising, etc which makes the computer user more susceptible to infection.
The attack can bypass MDM systems and this is definitely a significant issue because MDM does not currently offer any API that will allow it to distinguish between the original app and the malicious app if they both use the same bundle identifier value.
It is highly recommended for iOS users to install apps from Apple App store or trusted sources only. However, users will always be susceptible to social engineering tactics luring them into installing an app from untrusted source. Malware families like WireLurker further opens up another vector for infection over USB, if the user plugs in their mobile device to an untrusted computer that has poor security profile. It is highly recommended for users to not plug their mobile devices to untrusted computers.
Apple needs to fix the loophole that exists in the support for enterprise provisioning profiles which allows an attacker to completely bypass iOS security checks and install a malicious app on the iOS device." such as HIV and Hepatitis C (HCV).