Nov 11, 2014 · 2 minutes

Researchers have revealed the existence of a bug allowing hackers to install malware onto iOS devices by sharing links to seemingly-legitimate applications via text message, email, and links shared via social networks. The researchers have dubbed the bug Masque Attack, and they warn that it's more dangerous than WireLurker, a similar exploit which was revealed on November 5.

The exploits work in similar ways: they sneak malware onto a phone via infected applications downloaded from outside the App Store, then they gather information from the affected users. The difference is that Masque Attack can pretend to be trusted apps by using the same names, icons, and designs as the original software. WireLurker just installs a third-party application.

It also seems that malware installed via Masque Attack can access data saved via the software it's replacing. This creates a two-pronged attack on a consumer's data -- one meant to trick the user into providing sensitive information by emulating a trusted app, and another that gathers information that wasn't removed from an iOS device even after the valid software was deleted.

The latter avenue of attack shouldn't be possible. Apple tells consumers that removing an app from an iOS device also removes all data associated with it. Allowing malware featuring the same name as a "real" application to be installed on a device is a consumer's fault; they have to ignore a number of warnings and confirm their intent to install the app before iOS allows it.

But keeping the information on the device after an app has been removed appears to be an error on Apple's part. It isn't the first time the company failed to properly manage customer data, either: the Washington Post reported in October that Apple automatically uploads files to its iCloud service even if a consumer believes they only exist on a device's built-in storage.

This is the latest in a series of problems that can't be blamed on malware-makers, consumers, or anyone but the engineers at Apple. It failed to implement a basic security protocol for years. It didn't add an even more basic security feature to iCloud's website until after someone posted code that could be used to break into someone's iCloud account to GitHub. The list continues.

Apple's devices are no longer secured by their general obscurity. In the past it didn't make sense to target consumers who owned the company's products -- their marketshare was so minuscule that it made more sense for hackers to focus on Windows and other platforms. Combined with the data supporting the idea that Apple customers are more affluent than people who use other products, this makes Apple's devices more enticing to a group that mostly ignored them before.

WireLurker was called by its creators a sign of a "new era for iOS and OS X malware." That idea shouldn't even be questioned anymore. WireLurker and Masque Attack are here, and they're just the exploits that have been discovered. What might other, more sophisticated groups -- like the many government agencies upset by Apple's encryption efforts -- have been working on?

[illustration by Brad Jonas]