The United States Computer Emergency Readiness Team issued an alert today for a vulnerability on Apple iOS devices (iPhones, iPads) that has the potential to affect many users. The attack, called “Masque Attack”, allows an attacker to substitute malware for a legitimate iOS app. Basically, the attack compromises a website you may visit from your phone or tablet and then pops up a window asking you to install an app to more easily use the site. If you chose to install the app, it replaces the real app with a fake one that may actually work, but also steals your credentials and sends them to the attacker.
Please refrain from installing any apps that “pop up” when you are browsing on your devices, Apple or otherwise. Always go directly to iTunes/App store (or Google Play) to get any apps you want and install directly from those sources.
iOS users can protect themselves from Masque Attacks by following three steps:
1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
2. Don’t click “Install” from a third-party pop-up when viewing a web page.
3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.
In summary, please be careful with software you install on your computer and devices. Only install items from trusted sources. If you need any help, please feel free to give us a shout!