The ‘Masque' flaw was spotted by research firm FireEye more than three month ago and reported to Apple on 26 July.
But this Monday FireEye went public on the flaw because “we have seen proof that this issue started to circulate and we consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors.”
FireEye also said that the ‘WireLurker' malware - revealed last week by Palo Alto Networks and said to have infected up to 350,000 Apple Mac and iOS devices - has “started to utilise a limited form of Masque attacks to attack iOS devices through USB”. The firm added: “Masque attacks can pose much bigger threats than WireLurker. “
The Masque vulnerability lets attackers steal banking and other personal information from iOS users who download apps from third-party stores.
It exploits the failure of iOS to check the legitimacy of a malicious app that displays the same ‘bundle identifier' as a genuine app already on the user's device.
This means criminals can lure users to download attractive-sounding apps like ‘New Flappy Bird' which, when installed, replace their banking or other apps and start stealing their money or credentials.
The vulnerability affects both jailbroken and non-jailbroken devices running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta. Attacks can mounted both through wireless networks and USB sticks.
FireEye's blog features a video showing Masque being used to replace a genuine Gmail app with malicious code.
Apple has yet to issue a patch for the problem, and declined to comment to SCMagazineUK.com on the case.
FireEye explains: “Masque attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with malware that has identical UI.”
Masque attacks can even steal user data stored by the original genuine app – such as all their past emails, or log-in tokens that would allow a criminal to log in to the user's account directly.
However, the threat only affects people who install apps from unofficial third-party stores, believed to be a small percentage of iOS users.
Yet FireEye's Hui Xue, Tao Wei and Yulong Zhang make this plea to Apple in their blog: “We disclosed this vulnerability to Apple in July. Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”