Apple devices have long been known for their ability to withstand the threat of hackers, but a new report reveals that an iOS flaw now allows hackers to send malicious apps to users to collect sensitive information, from voice calls and web history to information about contacts, photos and even GPS coordinates.
According to a report published by security company FireEye, hackers are taking advantage of so-called Masque Attacks, which take place when a person unknowingly downloads a malicious app to a device by clicking on a bad web link. These web links can be sent via email, text message or fake advertisements on websites, according to FireEye.
FireEye's senior research scientist engineer Zhaofeng Chen told Fortune that the company recently discovered 11 iOS apps that use malware to compromise devices.
Several of these malicious apps are disguised as real apps, such as WhatsApp, Twitter, Facebook, Facebook Messenger, Google Chrome, Blackberry Messenger and Skype.
These malicious apps, after installed, communicate with a remote server and can leak sensitive data to the remote server.
The FireEye report explains: “Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior to 8.1.3.”
These apps have the same functions of the genuine apps, but secretly spy on and collect users' personal information.
Since hackers are taking advantage of this iOS flaw, users' voice call recordings from Skype and Webchat, as well as Chrome browser history logs, messages sent in Skype and Facebook messenger, photos, GPS coordinates and more can be leaked.
This loophole was revealed after an Italian company called Hacking Team that sells surveillance technology to governments was breached, with 400GB of confidential data published online. Apparently, the company was spying on iPhones for months leading up to the incident. The surveillance company targeted all major mobile operating systems, including iOS, Android, Windows and BlackBerry, according to FireEye.
“Up until now, these attacks had never been seen carried out in the wild, highlighting that advanced threats were not utilizing mobile to carry out their attacks despite rapid user adoption,” the FireEye report says.
Last month, FireEye reported two new manifestations of the Masque Attack vulnerability, which was referred to as the Manifest Masque and Masque Extension, which allegedly impacted nearly one third of all iPhones and iPads.
FireEye revealed the latest known threat at a Black Hat security conference in Las Vegas.
As a precaution, iOS users should continually update the operating systems on their devices and pay close attention to the ways and channels from which they download their apps. Of course, if a link for an app seems suspicious or comes from a strange place, such as an email from an unknown sender or a text message, it is always best to avoid clicking on it.