Apple customers are being warned by computer security experts, including the United States government’s own cyber squad, to watch out for a new bug affecting iOS devices like the iPhone and iPad.
The US Computer Emergency Readiness Team, or US-CERT, said Thursday that users of mobile phones and tablets running Apple’s latest iOS software should be careful of what they click. A so-called “masque attack” is taking users by storm, tricking iPhone and iPad owners into installing malicious software resembling legitimate applications but actually embedded with code that could compromise an entire device.
“This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system,” US-CERT explained. From there, the fake app may let a hacker control the infected device and “access sensitive data from local data caches,” “perform background monitoring of the user’s device” and “gain root privileges to the iOS device.”
The exploit was discussed earlier in the week by security experts at the firm FireEye, who said they informed Apple of the vulnerability on July 26 but believe new versions of iOS are still able to be exploited as part of a new masque attack hacking campaign they’ve dubbed “WireLurker.”
“Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly,” FireEye warned.
“We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to [a] remote server,” FireEye said.
“In this situation, we consider it urgent to let the public know,” FireEye said, “since there could be existing attacks that haven’t been found by security vendors.”
Meanwhile, US-CERT says Apple users should avoid clicking “Install” from any third-party applications or websites, and watch for any other unusual activity.
“If you are getting something from your work, it looks like a work email asking you to download an outside app, just call your boss and ask ‘did you really send me this email? Did you really want me to download that?’” CNET reporter Bridget Carey suggested. “Be careful what you download. Only download from the Apple store.”