Researchers with cybersecurity firm FireEye said on Monday that they have uncovered a bug in Apple's iOS operating system that makes devices vulnerable to remote cyberattacks. Dubbed "Masque Attack", the vulnerability allows the attacker to use malware and replace authentic iOS apps, such as banking and email apps, installed on a device. That means the attacker could steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI.

FireEye's researchers claim that the malware could even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware could use to log into the user's account directly.

All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier.

"The vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier," the researchers explained.

They verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker could also leverage this vulnerability both through wireless networks and USB.

FireEye mobile security researchers have discovered the iOS vulnerability earlier this summer have already notified Apple about it.

Recently Claud Xiao discovered the "WireLurker" malware, which also started to utilize a limited form of Masque Attacks to attack iOS devices through USB, FireEye said.

iOS users can protect themselves from Masque Attacks by not installing apps from third-party sources other than Apple's official App Store or the users' own organizations. They should also never click "Install" on any pop-ups from third-party web pages, and uninstall any possible app that shows an iOS alert with "Untrusted App Developer" upon opening.