It’s common knowledge that the iPhone is safer than Android when it comes to certain hacks. But that doesn’t mean talented hackers can’t trick Apple’s operating system, and a new security bug seems to prove just that. The recently discovered issue might not affect a large number of users yet, but it has massive potential for hackers because of the way it operates: It fools the iPhone into downloading a malicious app that replicates an actual app on your phone that it then covertly replaces. The malicious app can then be used by hackers for various purposes without the iPhone user’s knowledge.
The apps looks and perform like the real thing, researchers from FireEye told Business Insider, but they have components that can activate additional silent functions, such as spying on conversations or uploading personal data to a server that’s also controlled by attackers.
Such fake apps have already been found in the wild and have been replicating popular apps including Twitter, Facebook, WhatsApp, Viber, Skype and others.
However, the key thing you need to know about this security threat is that it acts together with a phishing email or message. In other words, to download the malicious apps, one would have to click on a particular link in an email or message.
This is actually where hackers managed to bypass Apple’s security with this “Masque” attack. As users click on the link, the iPhone is fooled into believing it connects to the App Store.
“If you can be tricked into clicking on a link on your phone to install an application then any of your apps could be replaced with a malicious version. It could look identical to the standard app but have extra functionality,” FireEye global technical lead Simon Mullis said. “Once installed, the new malicious application can hijack the communications used by legitimate apps and steal information, such as login credentials.”
The Masque attack has been discovered in information taken from security firm Hacking Team, which develops surveillance tools for governmental agencies. The Hacking Team was ironically hacked itself recently and its attackers walked away with 400GB of data.
It’s not clear how many iPhone users have been affected by the security bug, but the number is apparently “small.” In addition to hackers looking to use iPhone owners for personal gain with the help of Masque, spy agencies around the world might put it to use against potential targets.