Reserachers have discovered a flaw in Apple's iOS operating system that could make an iPhone or iPad vulnerable to attack from hackers.
The flaw, dubbed Masque Attack, allows criminals to access iOS devices by tricking users into installing malware via email, text messages and URL links, according to IT security firm FireEye.
The malicious applications can then replace genuine apps downloaded from the Apple App Store with malware-tainted versions. FireEye said in a blog posting that this vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier.
"Attackers could mimic the original app's login interface to steal the victim's login credentials," said Hui Xue, Tao Wei and Yulong Zhang in the post.
"We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server."
The researchers added that an attacker could also use Masque Attack to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities.
FireEye disclosed the problem to Apple in July. The researchers said Masque Attack posed a much bigger threat than WireLurker as it can replace authentic apps, such as banking and email apps, using attackers' malware through the internet.
The malware can even access the original app's local data, if it hadn't been removed when the original app was replaced. "These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly," the researchers added.
The researchers also warned users not to install apps from third-party sources other than Apple's official App Store or the user's own organisation, saying: "When opening an app, if iOS shows an alert with Untrusted App Developer', Click on 'Don't Trust' and uninstall the app immediately."
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Open source security in the spotlight as UK gov publishes fresh guidanceNews The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
-
86% of enterprise codebases contain open source vulnerabilitiesNews Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Google patches second Chrome browser zero-day of 2022News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Google Chrome update fixes zero-day under active exploitationNews Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
CISA updates must-patch bug list for federal agenciesNews Latest collection includes bugs up to seven years old that are still exploited in the wild
-
Apple iPad Pro 12.9in (2021) review: A giant leap for Apple siliconReviews Paired with a 120Hz display with incredible colour accuracy, the iPad Pro is more deserving of its name than ever
