US-based FireEye maintained that "masque attacks" made possible by a vulnerability in software running iPhones, iPads and iPod touch devices posed "much bigger threats" than a recently disclosed WireLurker flaw patched by Apple.
"Masque attacks can replace authentic apps, such as banking and email apps, using attacker's malware through the Internet," FireEye said in a blog post.
"That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI (user interface)."
Cyber crooks could prompt Apple gadget owners to install what deceptively claims to be an update to an existing application, such as a popular mobile game.
Instead of an update, users would get an application that mimics and replaces a legitimate program, sending information entered by users to hackers, according to FireEye.
FireEye said it alerted Apple to the vulnerability months ago and that the California-based company is working to fix it.
FireEye said that people can guard against trouble by only installing applications or updates through Apple's official online App Store.
The researchers advised people to never resort to using "install" prompts that pop up on third-party Web pages.
If opening an application on an Apple device triggers a message warning it was created by an "Untrusted App Developer," immediately remove the mini-program, FireEye advised.
Last week, researchers at cyber-security firm Palo Alto Networks revealed a newly discovered family of malware that has the capacity to infect iPhones via Apple computers, posing a security threat to devices that have been largely resistant to cybercriminals.
The malware, dubbed WireLurker, "is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server," according to a report by the security firm, which added that "its creator's ultimate goal is not yet clear."
Apple, in a statement to AFP, said it had acted to block the malware.
As Apple computers and mobile devices have grown in popularity, they have become coveted targets for hackers eager to get to the ranks of users.
According to the researchers, WireLurker malware first infects a Mac computer, which uses the OS X operating system, and then installs itself on iOS devices iPads or iPhones when they are connected to the computers via USB ports.
The malware was traced back to a third-party Chinese app store.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.