A small set of websites hacked back in February were being used to attack iPhones, infecting them with malware. The malware implant has been patched, but iPhone users should ensure they’re running on the latest version of iOS (12.4.1) to leverage the security patches.
Malwarebytes Mac and mobile director Thomas Reed says, “I still think the iPhone is the most secure phone on the planet, not counting obscure or classified devices that are only secure because few people actually have them. However, there are always vulnerabilities, and it’s entirely possible this kind of attack could be going on right now, somewhere else, against the current version of iOS.”
“Although Apple doesn’t allow antivirus software on iOS, there does need to be some means for users to check their devices for known threats. Perhaps something involving unlocked devices connected by wire to trusted machines? If such a thing were possible, this attack probably wouldn’t have gone undetected for two years”.
How did iOS fall victim?
Historically, iOS has never been completely free of malware, but it has mostly been limited to one of two scenarios: either you jailbroke your device, hacking it to remove the security restrictions and installing something malicious as a result, or you were the target of a nation-state adversary.
The difficulty with infecting an iPhone is that it requires some kind of zero-day vulnerability (i.e., unknown to the security community at time of its release), and these vulnerabilities can be worth $1 million or more on the open market. Thus, iPhone malware infections were always seen as problems that didn’t affect average people. But Google’s findings have upended that conventional wisdom.
The iPhone malware implant, which has not been given a name, is able to escape the iOS sandbox and run as root, which basically means it has bypassed the security mechanisms of iOS and has the highest level of privileges.
Which of your data is at risk?
The implant can both upload data to the server, as well as receive a number of commands which contain a concerning list of capabilities.
Among other things, the iPhone malware is capable of stealing:
- All keychains,
- SMS and email messages,
- Contacts, notes, and recordings,
- It can retrieve the full call history, and is capable of doing real-time monitoring of the device location.
- It also includes the capability to obtain the unencrypted chat transcripts from a number of major end-to-end encrypted messaging clients, including Messages, Whatsapp, and Telegram.
This means that if you’re infected, all your encrypted messages are not only collected by the attacker, but they’re transferred in clear-text across the Internet.
The bad news is that we don’t yet know which websites were affected, so it’s impossible to know who may have been infected with this mysterious iPhone malware. That is causing a substantial amount of fear among those aware of the problem. The good news is these vulnerabilities have been patched now. Also, the implant is actually incapable of remaining persistent after a reboot. This means that any time an infected iPhone is restarted, such as when an iOS update is installed, for example, the implant is removed. Of course, a vulnerable device could always be re-infected by visiting an affected site.
Because of this, any device running iOS 12.4.1 is not only immune to these particular attacks, but it can’t be infected anymore either, due to the reboot when installing 12.4.1 (or later).
If you’re concerned you may be infected, install the latest iOS update, which will also reboot the phone and remove the malware, if present.
What to do if you suspect your device could be infected
There is an easy test to see if it is, but you would have to do so before rebooting, as the malware needs to be active.
- First, connect the affected device to a Mac via a Lightning (or, in the case of an iPad Pro, USB-C) cable.
- Next, open the Console app on the Mac, which is found in the Utilities folder in the Applications folder.
- In the Console, locate the phone in the Devices list and select it.
- At this point, you’ll see log messages from the iOS device start scrolling past in the right-hand pane. Although the Console will not show you past messages, if you monitor, within 60 seconds or less, an infected iOS device should generate messages containing certain phrases such as uploadDevice, postFile success, and timer trig.