Update 11/7: Apple has blocked the infected apps so they won't run on a Mac or iOS. This will stop the attack temporarily, but it doesn't fix the underlying problem. Read on to learn more about this threat.
Apple gadgets have a reputation for and proven history of good security, but lately cracks have started to show. I told you earlier this week about the "rootpipe" flaw in Mac OS X.
Well, now a flaw has popped up in OS X and iOS called "WireLurker," and it's a first for iOS.
Most iOS flaws in the past only existed if your iPhone or iPad was jailbroken. That means you've already made a breach in the defenses so you can install apps Apple hasn't approved. "WireLurker," however, works on a pristine iOS gadget with its security fully intact.
Right now, it's not much of a threat to U.S. users, but it's infected thousands of iOS gadgets in China over the past six months.
Still, it's worth knowing how it works and how to avoid it because you can bet hackers will be trying to bring it to the States as fast as possible.
"WireLurker" starts with an infected OS X app that you download to your Mac. Unlike iOS that can only download apps from iTunes, Mac apps are available at third-party sites as well.
In this case, the Maiyadi App Store in China is hosting 467 infected apps. Once an infected app is installed on your Mac, it waits for you to plug in your iPhone or iPad via USB and then jumps to the iOS gadget.
Once on the gadget, it uses iOS's enterprise installation features to install malicious code. The code then starts grabbing contact data, reading texts or even installing other malicious apps. It can also infect other Macs you plug the gadget into so it keeps spreading.
So, the obvious takeaways for now are to only install Mac apps from Apple's app store. While it isn't impossible for hackers to get an infected app on there, it's much less likely.
You should also only download Mac apps from reputable companies - and make sure the app is actually from the company it says it is. Hackers love to download apps, install malicious code and then re-upload them with a similar name to trick people.
Another way to prevent this from happening is to avoid plugging your iPhone or iPad into your Mac. Most of the reasons to plug it in - installing apps, backing up data, transferring photos, etc. - can be done wirelessly through iCloud at this point anyway.
Of course, Apple is moving fast on this and will probably beef up the security on the feature the "WireLurker" hackers are using. Still, that isn't to say there aren't more features behind the scenes just waiting to be exploited.
Stay tuned and I'll let you know when that happens in my daily emails.
You should also take steps to secure your mobile gadgets from other threats. Click here for 7 essential things you need to do right now.