Cybersecurity researchers warned Monday of a new bug discovered in Apple’s iOS mobile software that leaves a majority of iPhones and iPads vulnerable to hacking and data theft.
Researchers at the renowned cybersecurity firm FireEye published their discovery of the security hole in a blog post Monday, where they describe the bug’s potential to leave a door open for hackers to trick iOS users into downloading applications loaded with malware through emails, texts and links.
“In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store,” researchers wrote. “This in-house app may display an arbitrary title [like “New Flappy Bird”] that lures the user to install it, but the app can replace another genuine app after installation.”
“An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack ‘Masque Attack.'”
Once downloaded, a “Masque Attack” app masquerading as a users’ usual bank or email app, for example, can steal account information, login credentials and other sensitive information.
“It is a very powerful vulnerability and it is easy to exploit,” FireEye senior staff research scientist Tao Wei said in an interview, according to Reuters. Wei said Apple has been working on a fix since FireEye alerted the company to the breach earlier this summer, and that the firm only decided to publish the bug after Palo Alto Networks uncovered hackers’ first observed attempt to exploit it last week with malware dubbed “WireLurker.”
In the meantime, researchers warn iOS users to only download apps directly from Apple’s App Store. So far, the bug has been confirmed on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta for jailbroken and non-jailbroken devices.