SAN FRANCISCO — Security researchers say they’ve discovered a vulnerability in Apple’s software that hackers could use to steal sensitive information from iPhones or iPads, by tricking device owners into downloading a malicious app.
Hackers aren’t known to be exploiting the weakness on a broad scale, and cybersecurity company FireEye says Apple is working on a fix. Apple did not immediately comment. FireEye, which on Monday disclosed the existence of the “Masque Attack” flaw, said users of Apple devices should not click on links that seem suspicious or come from an uncertain source, and they should not install apps unless they come from the official Apple store or a user’s own employer.
The vulnerability is a sign that Apple devices are not as impervious to malicious attacks as many consumers may believe, said FireEye spokesman Kyrk Storer. Apple devices drew less attention from hackers when they were less common, particularly in corporate settings. But as more people use Apple smartphones and tablets, including for work, that “makes them a much more appealing target” for hackers, Storer said.
“Masque Attack” lets hackers trick the owner of an iPhone or iPad into downloading a malicious app by disguising it as an update for a legitimate app, according to FireEye researchers. The app can be downloaded wirelessly if the device owner clicks on a link in a “phishing” email or text that’s been designed to look like it came from a trusted source.
As part of the deception, FireEye researchers said hackers might send a message offering the latest version of a popular online game. But if a device owner clicks on the link, it can download a malicious version of another program the victim is already using, such as an email or banking app. The malicious app replaces the legitimate app and appears normal, FireEye said, but it can secretly copy passwords or other sensitive information and send it wirelessly to the hackers.