The malware replaces a legitimate application by tricking users into installing it. The fake app downloads automatically when the user opens a text message, email or a link, California mobile security firm FireEye said Monday.
All Apple-certified applications can be replaced with fake ones, except for pre-installed apps such as Safari, as long as the hacker's program has the same file name as the Apple-certified app.
In a video example of this “masque attack,” the attacker sends a text message with a malicious link to install a “new version” of the popular Flappy Bird game. After clicking the link, the user is asked to confirm installation, which downloads and installs a hacked version of the Gmail app.
The fake app mimicks the Gmail app, granting the hacker access to sensitive financial information that's stored on the device. Because of its subtlety, it’s unlikely the attack would raise any red flags, FireEye said.
Once the fake app is downloaded, it secretly uploads the user’s email to the hacker’s server. The victim’s phone then receives another text message, which then gives the hacker access to all text message content, including the telephone numbers for any calls made to or from the iPhone.
Rebooting the device doesn't prevent the fake app from stealing personal data, the video shows.
The vulnerability exists on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices.
The security company said it disclosed the vulnerability to Apple in July.
This is the second blow to Apple's mobile security this month. Last week, cybersecurity firm Palo Alto Networks identified malware called "WireLurker," which steals information by monitoring mobile devices connected by a USB cable to an infected computer and installs malicious applications.
"As always, we recommend that users download and install software from trusted sources," an Apple spokesman said in response to last week's report.
Apple did not immediately return a request for comment about the fake apps.
To prevent future attacks, users should stay away from apps from any third-party sources outside of Apple’s official App Store and avoid installing apps on pop-up webpages. If an alert pops up with “Untrusted App Developer,” click “Don’t Trust” and uninstall the app immediately.
Users can delete suspicious downloads on Apple devices with prior iOS versions by going to “Profiles” under general settings, checking for "provisioning profiles," and deleting them. This does not work for iOS 8, which does not have a "profiles" option, FireEye said.
©2014 the Los Angeles Times
