sciencetech-blog

comments

The U.S. government has warned iPhone and iPad users to be on the alert for hackers who may exploit a vulnerability in iOS that would enable them to steal sensitive data.

Cybersecurity firm FireEye says the bug enables hackers to access their devices by persuading users to install malicious applications with tainted text messages,emails and web links.

However, it requires users to install an 'untrusted' app.

Scroll down for video 

Attacks can be used to steal banking and email login credentials or other sensitive data, according to FireEye

There was the potential for hacks using a newly identified technique known as the 'Masque Attack,' the government said in an online bulletin from the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams.

Network security company, FireEye disclosed the vulnerability behind the 'Masque Attack' earlier this week, saying it had been exploited to launch a campaign dubbed 'WireLurker' and that more attacks could follow.

Hackers could potentially steal login credentials, access sensitive data stored on iOS devices and remotely monitor activity on those devices, the government said.

Such attacks could be avoided if iPad and iPhone users only installed apps from Apple's App Store or from their own organizations, it said.

Users should not click 'Install' from pop-ups when surfing the web. 

If iOS flashes a warning that says 'Untrusted App Developer,' users should click on 'Don't Trust' and immediately uninstall the app, the bulletin said.

If installed, the malicious application can then be used to replace genuine, trusted apps that were installed through Apple's App Store, including email and banking programs, with malicious software through a technique that FireEye has dubbed 'Masque Attack.'

These attacks can be used to steal banking and email login credentials or other sensitive data, according to FireEye, which is well-regarded in cybersecurity circles for its research.

'It is a very powerful vulnerability and it is easy to exploit,' FireEye Senior Staff Research Scientist Tao Wei said in an interview.

Officials with Apple could not be reached for comment.

Wei said that FireEye disclosed the vulnerability to Apple in July and that representatives with the company have said they were working to fix the bug.

News of the vulnerability began to leak out in October on specialized web forums where security experts and hackers alike discuss information on Apple bugs, Wei said.

Wei said that FireEye decided to go public with its findings after Palo Alto Networks Inc last week uncovered the first campaign to exploit the vulnerability, a new family of malicious software known as WireLurker that infects both Mac computers and iOS.

FireEye does not know of other attacks that exploit the bug, Wei said.

'Currently WireLurker is the only one, but we will see more,' he said.

FireEye advises iOS users to refrain from install apps from sources other than Apple's official App Store and to not click 'install' on a pop-up from a third-party web page.

The security firm said it verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices.

Wei said that FireEye disclosed the vulnerability to Applein July and that representatives with the company have said theywere working to fix the bug.

The firm used the exploit to replace Google's Gmail app with a rogue version.

'In one of our experiments, we used an in-house app with a bundle identifier 'com.google.Gmail' with a title 'New Flappy Bird'. 

'We signed this app using an enterprise certificate. 

'When we installed this app from a website, it replaced the original Gmail app on the phone.'

Last week researchers warned of a major threat called WireLurker. 

WireLurker monitors iOS devices, including iPods, iPhones and iPads, connected to a Mac via USB.

The virus begins by infecting the Mac OS software, through malicious files or links.

When a device is connected to this infected Mac, the malware automatically installs malicious apps onto the phone or tablet.

The researchers said this malware combines a number of techniques to successfully 'realise a new brand of threat to all iOS devices'.

The experts suggest iOS and Mac owners only download apps from the official Apple app store, and that they make sure to keep their software up to date.