Security experts have discovered a flaw in Apple's mobile operating system that leaves most iPhones and iPads open to cyber-attacks from hackers that are looking to access sensitive information stored in the devices, as well as to take control of them.
The discovery was made by cybersecurity company FireEye, which has posted its report on the flaw at the company's official blog.
FireEye, which named the vulnerability as the Masque Attack, said that the flaw enables hackers to replace genuine apps in the iPhone or iPad with apps they have developed, as long as both of the apps are using the same bundle identifier.
Hackers can use an app that has a catchy name to lure victims into installing the app. After the app has been installed, it can then replace another genuine app upon installation.
According to FireEye, all apps for the iOS are vulnerable to the hack, except those that are preinstalled in the iOS device such as Mobile Safari.
The vulnerability can be exploited because the iOS does not enforce matching certificates for apps that have similar bundle identifiers.
FireEye, which discovered the flaw in iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, across both non-jailbroken and jailbroken iPhones and iPads, have already reported it to Apple back in July 26.
The company decided to publicize its findings on the Masque Attack after other reports surfaced on the WireLurker hack, which also targets Apple devices.
WireLurker infects the OS X, operating system of Apple's Mac computers, which then spreads the infection to iPhones that connect to the Mac using a USB cable.
Palo Alto Networks security experts said that WireLurker targets Apple users in "the biggest scale we have ever seen." However, according to FireEye, poses bigger threats compared to WireLurker, which it said was only a limited form of the Masque Attacks.
Masque Attacks will be able to replace authentic apps installed in iOS devices, such as but not limited to email and banking apps. Attackers can steal the banking credentials of users by replacing a banking app with one that looks identical to it. The malware app may also access the local data of the authentic app, which may contain cached information such as log-in credentials.
To protect themselves, Apple users should only download and install apps from the official App Store of Apple, as the malware apps come from third-party sources. Users are also advised to never install apps from a third-party web page, no matter how attractive the title of the app could be. Also, when users open apps, if a pop-up appears showing an alert about an "untrusted app developer," the user should select "don't trust" and uninstall the app right away.