Apple is attempting to downplay the threat posed by a vulnerability in iOS that enables so-called Masque Attacks, by saying it is not aware of any users being affected.
According to security firm FireEye, the flaw enables legitimately downloaded apps to be replaced by malicious software, downloaded after the initial app install by clicking on a malicious link.
Researchers said the malicious links can be contained in text messages or emails that appear to come from a legitimate source and invites the recipient to click on a link to update an app.
But instead of carrying out an update, the link downloads a malicious app that replaces a legitimate app, such as those used for banking or email.
That means the attacker can steal users’ banking credentials by replacing an authentic banking app with malware that looks just like the app it has replaced.
Researchers said the Masque Attack threat was greater than that of the WireLurker malware, which is mainly targeting iOS users in China.
But Apple claims the default security settings of iOS and OS X are enough to defend against attacks attempting to exploit the vulnerability identified by FireEye.
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software.
“We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps.
“Enterprise users installing custom apps should install apps from their company’s secure website,” Apple said in a statement.
“In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link,” US-Cert said.
The warning said Masque Attacks take advantage of a security weakness that allows an untrusted app – with the same “bundle identifier” as that of a legitimate app – to replace the legitimate app on an affected device, while keeping all of the user’s data associated with the app it has replaced to avoid suspicion.
“This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier,” the US-Cert said, noting Apple’s own iOS platform apps are not vulnerable.
The US-Cert said iPhone and iPad users can protect themselves from Masque Attacks by downloading apps only from the official Apple App Store and official company app stores.
The US-Cert also advises against clicking install on a third-party pop-up when viewing a web page.
“When opening an app, if iOS shows an ‘Untrusted App Developer’ alert, click on ‘Don’t Trust’ and uninstall the app immediately,” the advisory said.