Researchers at California-based cybersecurity firm FireEye have detailed what they claim to be a major new security vulnerability that has been found in Apple’s iOS 8 software. The security flaw, which they have dubbed “Masque Attack,” reportedly allows an attacker to replace authentic apps on a target’s iPhone or iPad with a similar app with the same appearance. Any data then entered into the app can be obtained by the hacker.
For example, an app that mirrors the look of a banking app on the user’s phone can be installed, and then the target’s username and password can be stolen when he or she tries to enter them in the malicious app.
“Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet,” FireEye’s Hui Xue, Tao Wei and Yulong Zhang wrote in a blog post on Monday. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI.”
They continued, “Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”
The news comes just days after Apple fixed a recent issue that left its iOS and OS X-powered devices susceptible to an attack from malware called WireLurker.
FireEye says that the vulnerability affects all versions of iOS from iOS 7.1.1 through the latest public version of Apple’s mobile software, iOS 8.1. Also of note, the issue still affects iOS 8.1.1 beta, which is currently being tested by developers ahead of its public release.