HolidayBuyer's Guide

Apple iOS bug lets fake apps sneak onto iPhones, iPads

The vulnerability affects roughly 95 percent of all Apple mobile devices currently in use, according to a new report.

Apple's mobile devices have a new security threat: fake apps that can steal log-in data and other sensitive information.Photo by CNET

Want to hack an iPhone? There's an app for that.

Hackers have a new way to break into Apple mobile devices using Web pages, text messages and emails to fool users into downloading fake apps that can leak their information, according to a new report from cybersecurity company FireEye.

There's no evidence hackers have started doing this in the US, but FireEye said a vulnerability in Apple's iOS mobile operating system means fake apps, which may be designed to look like your bank or email program, can replace genuine apps installed though Apple's App Store. Once installed, the apps could gain access to personal information and send it back to hackers without users' knowledge in what FireEye is calling a "Masque Attack."

Apple has long touted the security of its desktop and smartphone software against competing offerings such as Google's Android. However, this vulnerability is the latest in a growing list of chinks in iOS's security, and could cause users to become wary of the company's products.

FireEye said the bug affects all Apple mobile devices running iOS 7 or later, regardless of whether or not the device is jailbroken -- a user-initiated state that lets you install any app off the Internet. That means roughly 95 percent of all Apple mobile devices currently in use are vulnerable. Apple sold 51.6 million iPhones and iPads in the three months ended in September alone.

This is the second time researchers have raised concerns about Apple's security in as many weeks. Last week, security firm Palo Alto Networks described a new attack it discovered, allowing unapproved apps downloaded from the Internet could infect iPhones when plugged into Mac computers. The attack, called "WireLurker," was first recognized in China and is based on the same vulnerability FireEye disclosed Monday.

FireEye told Apple in July about the issue and went public Monday after Palo Alto Networks detailed its discovery last week. "We consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors," FireEye wrote.

Apple said in a statement last week that it was aware of the vulnerability Palo Alto Networks had discovered, and was working on a fix. "As always, we recommend that users download and install software from trusted sources," the company said.

Apple did not respond to a request for comment about this new type of attack.

Update at 3:25 p.m. PT: Clarified that the attack can be used against jailbroken and non-jailbroken iPhones and iPads.

Close
Drag