A bug in Apple’s iOS operating system is exposing most iPhones and iPads to hackers, according to a cyber-security firm.
The vulnerability enables hackers to access devices by persuading users to install a malicious application via compromised text messages, emails or web links, according to researchers at FireEye.
The malicious application is then able to replace genuine apps installed through Apple's App Store, including email and banking programs, with malicious software, though vigilant users should be able to avoid this by refusing requests for permission to install the fakes.
The technique has been dubbed ‘Masque Attack’ by FireEye, and they say it can be used to steal banking and email login credentials among other sensitive data.
"It is a very powerful vulnerability and it is easy to exploit," FireEye senior staff research scientist Tao Wei said.
FireEye disclosed the vulnerability to Apple in July and representatives of the company said they were working to fix the bug, according to Wei. Apple could not immediately be reached for comment.
News of the vulnerability began to leak out in October on specialised Web forums where security experts and hackers alike discuss information on Apple bugs, Wei said.
He said FireEye decided to go public with its findings after Palo Alto Networks last week uncovered WireLurker, the first campaign to exploit the vulnerability. "Currently WireLurker is the only one, but we will see more," Wei said.
Apple iOS's robust security means common techniques used to compromise Windows and Android devices are ineffective, but the Masque Attack exploits a system Apple developed to allow large organisations to deploy custom software without going via the App Store, according to David Richardson, iOS product manager at mobile security firm Lookout.
Those applications are not vetted by Apple for malicious software, unlike apps in its App Store, though users do receive pop-up notifications asking if they want to prevent the apps from installing on devices, he said.
"You can just say 'Don't install'. As long as you do that, you will be protected from this vulnerability," Richardson said.