Chinese cyber crooks are exploiting a loophole in Apple's iOS enterprise deployment procedures to release pirated apps onto iPhones.
Trend Micro reported detecting a new influx of pirated apps appearing on iOS over the past few weeks in a blog post.
"In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services," said Warren Tsai, product manager for Trend.
Tsai said apps are able to appear on non-jailbroken iOS devices, a development that significantly widens the threat to iPhone users, thanks to a loophole in Apple's iOS enterprise deployment policy.
"The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users," he said.
Apple has traditionally managed to keep its mobile iOS operating system free of malicious apps and software by employing a closed development model, where all apps must be vetted before appearing in its official store.
Trend Micro said that while the pirate apps appearance is troubling, they do not currently pose a serious security risk.
"This ‘newly discovered' method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can't do is rather limited," added Tsai.
The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.
"For now it's not likely to be much of a security threat, as the number of users who would actually use these ‘pirated' app stores is rather limited. However, it does represent an interesting avenue for targeted attacks in enterprise settings."
The news follows a boom in the volume of mobile malware targeting the competing Android ecosystem.
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data