It's called a "masque attack," and it's a newly discovered cyber threat to Apple users. Security experts say it happens when hackers get you to replace legitimate apps with fake "updates" designed to steal your information.
Until now, Apple products were rarely attacked in this way because apps were normally downloaded only from Apple's app store. Now, however, CNET reporter Bridget Carey explains Apple users may be increasingly vulnerable when they acquire apps from other sources. "To be able to get a bad app, you are not downloading it from the app store, you're actually downloading it from a link online."
Often the email looks like it is from a bank or merchant you know, and the app it is asking you to download is called an update of an app you already have. When you click on the link, the device gives you a warning.
Carey says to heed that "red flag... a pop-up saying 'are you sure you want to download this?' And if you hit 'yes' then you have the bad app. And the weird thing about these apps is that you don't get a new icon on your screen. It is replacing an app that you once trusted."
The cybersecurity company FireEye, which first disclosed the masque attack vulnerability on Monday, says Apple is working on a fix.
To avoid the hack, don't download apps from a link, no matter how legitimate it looks. For example, Carey says, "If you are getting something from your work, it looks like a work email asking you to download an outside app, just call your boss and ask 'did you really send me this email? Did you really want me to download that?'"
Or say you get an email that appears to be from your bank telling you to download an update to the bank's app. "You download it, then suddenly your bank app gets updated, you still think it is the regular bank app, and it's now recording your login information, your password, and whatnot," said Carey. "It's a little scary. You may not realize that you're giving away this information when you're clicking on the bad apps."
Apple mobile devices running iOs 7 or later are at risk for this hack.
Carey warns: "Be careful what you download. Only download from the Apple store."