MILPITAS -- Apple mobile devices can leak users' information through an attack using apps distributed outside the company's App Store, a prominent Silicon Valley security company disclosed Monday.
FireEye announced in a blog post that it told Apple in July that devices using its iOS mobile operating system, such as the iPhone and iPad, were vulnerable to an assault it termed "Masque Attack." However, FireEye researchers said Apple has been unable to work around the issue.
"Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks," the researchers wrote.
FireEye found that hackers could offer a mobile app through the Web that would mimic a legitimately downloaded application on a user's device, siphoning important information such as login information or emails. An example provided showed that a third-party app called "New Flappy Bird" could replace the Gmail app and access cached emails, using the same "bundle identifier" that Apple uses for the Gmail app.
FireEye said the WireLurker vulnerability disclosed last week by rival Palo Alto Networks, in which a Mac app downloaded from a third-party software store infected connected iOS apps, utilized a form of the Masque Attack vulnerability.
<iframe style="z-index: 1; position: absolute; top: 0px; left: 0px;" src="http://as.jivox.com/player/iabplayer.php?siteId=94a0cb3ae0eef5&campaignId=53524&ver=1&clickTagURL=http://adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBJxDrEGtlVMrtM8b-9QWCgYH4Bc7auvAFAAAAEAEgzvCHHzgAWKaV8cWUAWDZArIBE3d3dy5tZXJjdXJ5bmV3cy5jb226AQlnZnBfaW1hZ2XIAQnaAWdodHRwOi8vd3d3Lm1lcmN1cnluZXdzLmNvbS9idXNpbmVzcy9jaV8yNjkwNzQ1Ny9hcHBsZS1tb2JpbGUtZGV2aWNlcy12dWxuZXJhYmxlLWFwcC1hdHRhY2stZmlyZWV5ZS1zYXlzmALgXcACAuACAOoCHi84MDEzL21lcmN1cnluZXdzLmNvbS9CdXNpbmVzc_gCgdIekAOwCZgDpAOoAwHgBAGQBgGgBhY%2526num%253D0%2526cid%253D5Ggo4iIIUXSFpi5IP9mp-KHg%2526sig%253DAOD64_21R4hof6goygWNtJdulx0lMSOQZQ%2526client%253Dca-pub-3462608952431826%2526adurl%253Dhttp%253A%252F%252Fwww.sanramonmedctr.com%252Fen-us%252FPages%252Fdefault.aspx&bDim=300x250" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" width="300" height="250"></iframe>
"Masque Attacks can pose much bigger threats than WireLurker," researchers wrote. "Masque Attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal users' banking credentials by replacing an authentic banking app with malware that has (an) identical (user interface)."
Researchers were also surprised to learn that Masque Attack can access information stored in apps even after the malware has replaced the original app. Factory-installed apps such as Apple's Safari browser don't seem to be susceptible, but any app downloaded from Apple's App Store can be cloned, FireEye said.
FireEye offered three ways to avoid being a victim of the Masque Attack vulnerability: Do not download any apps that do not come from the App Store or a user's organization, such as an employer; don't install apps offered on pop-ups from third-party websites; and if iOS alerts a user about an "Untrusted App Developer," click "Don't Trust" on the alert and immediately uninstall the app.
Cupertino-based Apple did not respond to an email request for comment.
Apple stock dropped 0.2 percent to $108.83 Monday, while FireEye shares gained 5.8 percent to $32.39,