Researchers at FireEye security firm have reported a major exploit that can update apps and trick users into installing a malicious app masquerading as a legitimate one.

In their ‘Masque Attack’ exploit, which works on iOS7 and iOS8, the FireEye team sent a link to a mock user promising a new version of the horribly addictive Flappy Bird game. As soon as they clicked on the link a download would begin, not of Flappy Bird, but of a Gmail app update. Once that was installed, it would look and feel just like the real thing, whilst in the background all email was being uploaded to an attacker’s server.



Hui Xue, a FireEye researcher, tells Thomas Fox-Brewster of Forbes, the vulnerability exists because iOS doesn’t enforce matching certificates, which are used to sign software updates and prove they came from a legitimate source, for apps with the same “bundle identifier”. This identifier, which is used by iOS to recognize any updates to an app and must be registered with Apple, is trivial to find as it’s within the app itself. It’s simply a matter of finding the related file.

So far there hasn't been any reports of anyone falling victim to the exploit, but FireEye warns users not to install apps that don't come from the official Apple store.

FireEye did notify Apple of their findings back in July, to date there has been no comment from Apple.