While the U.S. government is urging Apple users to be wary of cyber criminals exploiting a newly announced vulnerability in Apple devices, Apple is quick to downplay the issue, saying it is "not aware of any customers that have actually been affected by this attack."
In a security alert released on Nov. 13, the U.S. Computer Emergency Readiness Team (US-CERT) and the National Cybersecurity and Communications Integration Center warned iPhone and iPad users against the Masque Attack.
The Masque Attack is a hacking method that allows attackers to exploit a security weakness in Apple's standard developer systems and replace a legitimate app with an untrusted app that installs malware and steals users' sensitive information.
The vulnerability exists because Apple does not double-check matching certificates for apps with the same "bundle identifier," a unique number that identifies the app.
"An app installed on an iOS using this technique may mimic the original app's login interface to steal the victim's login credentials; access sensitive data from local data caches; perform background monitoring of the user's device; gain root privileges to the iOS device; (and) be indistinguishable from a genuine app," says the US-CERT.
The Masque Attack was discovered by security research firm FireEye, which says it contacted Apple about the vulnerability on July 26 and decided to make its discovery public after the announcement of WireLurker, a campaign exploiting the Masque Attack and waged against iOS users in China.
Discovered by Claud Xiao of Palo Alto Networks, WireLurker is a family of malware infecting more than 400 apps from a Chinese third-party app store called Maiyadi. Xiao says these apps have been downloaded 350,000 times and potentially affects "hundreds of thousands of users."
Apple, however, says the issue is not as extensive as security firms claim it to be.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack," says Apple spokesperson Trudy Muller.
The Masque Attack can only happen with users' permission given when installing apps from scrupulous sources such as third-party app stores or suspicious emails.
Apple emphasizes that users should not install apps from sources other than the App Store and trusted sources such as their corporate IT administrators. Users should also pay attention to warnings about installing apps downloaded from untrusted sources and abort installation immediately, the company says.