Internet security firm FireEye has discovered a new security flaw that allows attacks on iOS devices, which the company says “can pose much bigger threats than WireLurker”–the malicious bug found just last week exploiting the same vulnerability.
FireEye dubbed the new hacking technique “Masque Attack.” While WireLurker was the first known attack of this kind, a Masque Attack doesn’t require a USB connection and could affect iOS devices across the globe (whereas WireLurker is largely contained to USB-connected iOS devices in China). FireEye found the bug back in July and told Apple of its discovery immediately, but the firm decided to go public with the information in light of the WireLurker news.
Masque Attack apps mimic legitimate apps, like an email or banking app, but they are designed to steal a user’s login credentials and bank information when used. Hackers can trick a person into downloading a Masque Attack app from outside the Apple-approved App Store–usually through a prompt via text message, email, or hyperlink. The malicious app will then replace the legitimate one and steal sensitive information without the user’s knowledge.
All iOS devices are vulnerable–not just jailbroken ones–and the only apps that are not affected by this bug are preinstalled ones like Safari and Calendar. Want to keep your iPhone Masque-free? Be sure to only install apps directly from the App Store.