U.S. Warns of Vulnerability That Could Leave Apple iOS Devices Open to Attack

Cybersecurity
Павел Игнатов | Getty Images

The U.S. government's cyber squad is warning Apple users about a security vulnerability that hackers could use to trick users into installing bogus versions of legitimate apps on their mobile devices.

This particular exploit, called the Masque Attack, is designed to lure users into downloading malicious versions of legitimate applications from somewhere other than Apple's App Store.

More from Re/code:
Here's what The Onion CEO has to say about a possible sale
US Dept. of Energy builds two seriously super computers
Amazon will let you use a Kindle for free for a month

As frequently occurs with a phishing attack, the hacker — in this case posing as corporate IT staff — would send out an email or text message inviting users within a corporation to download an "update" to software they may already have installed on their iPhones, such as banking or email apps.

The U.S. Computer Readiness Team said hackers could substitute a bogus version of a legitimate app by using the same "bundle identifier," a unique number that is registered with Apple and identifies the app. The malicious app could even mimic the look of the authentic app to gain access to the user's login and sensitive information stored on the device.

The exploit is possible because Apple's iOS mobile operating system does not enforce matching certificates for apps with the same bundle identifier, according to the US-CERT.

Read MoreMaking money with cybersecurity ETF 'HACK'

The security research firm FireEye said it identified and notified Apple of the potential vulnerability this summer. It would impact more than 90 percent of iPhone users running iOS 7 or iOS 8.

FireEye and Apple say there have been no known instances of hackers using this exploit.

Apple issued a statement late Thursday, urging users to exercise caution when downloading mobile apps — and to pay attention to warnings that they may be installing malicious software.

"We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps," said Apple spokesperson Trudy Muller. "Enterprise users installing custom apps should install apps from their company's secure website."

CNBC's parent NBC Universal is an investor in Re/code's parent Revere Digital, and the companies have a content-sharing arrangement.