November 10th, 2014, 21:41 PM
Apple iOS bug lets fake apps sneak onto iPhones, iPads
Hackers have a new way to break into Apple mobile devices using Web pages, text messages and emails to fool users into downloading fake apps that can leak their information, according to a new report from cybersecurity company FireEye.
There's no evidence hackers have started doing this in the US, but FireEye said a vulnerability in Apple's iOS mobile operating system means fake apps, which may be designed to look like your bank or email program, can replace genuine apps installed though Apple's App Store. Once installed, the apps could gain access to personal information and send it back to hackers without users' knowledge in what FireEye is calling a "Masque Attack."
Apple has long touted the security of its desktop and smartphone software against competing offerings such as Google's Android. However, this vulnerability is the latest in a growing list of chinks in iOS's security, and could cause users to become wary of the company's products.
FireEye said the vulnerability affects all Apple mobile devices running iOS 7 or later. That means roughly 95 percent of all Apple mobile devices currently in use. Apple sold 51.6 million iPhones and iPads in the three months ended in September alone.
This is the second time researchers have raised concerns about Apple's security in as many weeks. Last week, security firm Palo Alto Networks described a new attack it discovered, allowing unapproved apps downloaded from the Internet could infect iPhones when plugged into Mac computers. The attack, called "WireLurker," was first recognized in China and is based on the same vulnerability FireEye disclosed Monday.
FireEye told Apple in July about the issue and went public Monday after Palo Alto Networks detailed its discovery last week. "We consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors," FireEye wrote.
Apple said in a statement last week that it was aware of the vulnerability Palo Alto Networks had discovered, and was working on a fix. "As always, we recommend that users download and install software from trusted sources," the company said.