A serious security flaw in iOS 8 called Masque Attack has been discovered which could allow attackers steal highly sensitive, personal information by masquerading as legitimate apps such as email or banking software.
The latest security vulnerability reported in Apple's mobile operating system comes just a week after a threat called WireLurker was uncovered attacking iPhone and iPad users in China.
Just like WireLurker, Masque Attack is a threat to iPhones and iPads which are non-jailbroken, devices which have traditionally been free from security threats as a result of Apple's stringent security measures.
FireEye said that it discovered the exploit in July and reported it to Apple. The flaw affects iPhone, iPads and iPod Touch devices running iOS 7 and iOS 8 which currently represents 95% of all devices in use.
Banking and email apps
The flaw takes advantage of the fact that Apple does not enforce matching certificates for apps with the same bundle identifier. That means that a victim could click on a link claiming to be an update to a popular app like Angry Birds or Flappy Bird, while in fact it downloaded a piece of malware which looks like an app such as Gmail or your banking app.
According to FireEye, pre-installed apps like Safari are the only one which are not affected.
Masque Attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
The vulnerability is the same one which was exploited by the WireLurker app that was discovered by Palo Alto Networks, but FireEye says Masque Attack "can pose much bigger threats than WireLurker".
While the dodgy nature of a Masque Attack update will be obvious to most people, clever attackers could tailor their attacks to trick a higher proportion of people.
"The first alert can be modified by the attacker to mislead the user to install the app. For the second alert, some users may not understand what it means and run the app anyway, after that, there's no more alerts if the user runs it again and again in the future," FireEye researcher Hui Xue told Tom Brewster-Fox on Forbes, adding:
"Worse still, if the user has ever installed one app signed by a enterprise certificate on the iOS device, the second alert will not show up for other apps signed by the same enterprise certificate. The reason why unapproved code is able to run is that the code was signed by some enterprise certificate and such apps can run on an unlimited number of devices."
Apple responded to the revelation of the WireLurker exploit but has yet to respond to this latest iOS vulnerability.