Security firm FireEye has warned that iPhone users running out-of-date versions of iOS are vulnerable to Masque malware attacks that could be criminally exploited to ruin iPhones and iPads with malicious apps.
A FireEye blog post said that users are open to serious abuse from previously undisclosed threats including Plugin Masque.
"Plugin Masque [bypasses] iOS entitlement enforcement and hijacks VPN traffic," the company said.
"Our investigation also shows that around one third of iOS devices still have not updated to versions 8.1.3 or above, even five months after the release of 8.1.3, and these devices are still vulnerable to all the Masque attacks."
FireEye has uncovered five types of Masque attacks to date and Apple credits FireEye in its official iOS 8.4 security update information for bringing the latest threats to its attention, which it has moved to fix with the update.
However, for those that don't upgrade FireEye warned that Masque could be used to cause a denial-of-service (DoS) attack on the software and its applications, letting criminals install software of their choosing on a machine and use it to their own ends.
The security researchers said that the exploits are "even more severe than the original Masque attack", adding that Apple has "partially" fixed the problem.
"By leveraging this vulnerability, one app developer can install his/her own app and demolish other apps (e.g. a competitor's app) at the same time," they explained.
"In this way, attackers can perform DoS attacks or phishing attacks on iOS."
FireEye and the US Computer Emergency Readiness Team issued a warning last November about the malware, but Apple said that it designs its software to cope with such attacks and that it was not aware of any affected users.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," the company said at the time.
"We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps.
"Enterprise users installing custom apps should install them from their company's secure website."
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...
Are you on the list?
Update will limit background activities of apps to improve battery life (hello, Skype!)