sb-eu logo
Story image

How the iPhone malware discovery affects Apple users – Malwarebytes

04 Sep 2019

Google researchers recently announced that it discovered malware in Apple’s iOS, the operating system for all iPhones and commonly known as the safest OS on the market.

A small set of websites hacked back in February were being used to attack iPhones, infecting them with malware.

The malware implant has been patched, but iPhone users should ensure they’re running on the latest version of iOS (12.4.1) to leverage the security patches.

Malwarebytes Mac and mobile director Thomas Reed says, "I still think the iPhone is the most secure phone on the planet (not counting obscure or classified devices that are only secure because few people actually have them).

“However, there are always vulnerabilities, and it’s entirely possible this kind of attack could be going on right now, somewhere else, against the current version of iOS.”

"Although Apple doesn’t allow antivirus software on iOS, there does need to be some means for users to check their devices for known threats. Perhaps something involving unlocked devices connected by wire to trusted machines? If such a thing were possible, this attack probably wouldn’t have gone undetected for two years".

Malwarebytes shares its insights on how the breach occurred.

How did iOS fall victim?

Historically, iOS has never been completely free of malware, but it has mostly been limited to one of two scenarios: either you jailbroke your device, hacking it to remove the security restrictions and installing something malicious as a result, or you were the target of a nation-state adversary.

The difficulty with infecting an iPhone is that it requires some kind of zero-day vulnerability (i.e., unknown to the security community at time of its release), and these vulnerabilities can be worth $1 million or more on the open market.

Thus, iPhone malware infections were always seen as problems that didn’t affect average people.

But Google’s findings have upended that conventional wisdom.

The iPhone malware implant, which has not been given a name, is able to escape the iOS sandbox and run as root, which basically means it has bypassed the security mechanisms of iOS and has the highest level of privileges.

Which of your data is at risk?

The implant can both upload data to the server, as well as receive a number of commands which contain a concerning list of capabilities.

Among other things, the iPhone malware is capable of stealing:

  • All keychains,
  • Photos,
  • SMS and email messages,
  • Contacts, notes, and recordings,
  • It can retrieve the full call history, and is capable of doing real-time monitoring of the device location.
  • It also includes the capability to obtain the unencrypted chat transcripts from a number of major end-to-end encrypted messaging clients, including Messages, Whatsapp, and Telegram.
    • This means that if you’re infected, all your encrypted messages are not only collected by the attacker, but they’re transferred in clear-text across the Internet.


The bad news is that we don’t yet know which websites were affected, so it’s impossible to know who may have been infected with this mysterious iPhone malware.

That is causing a substantial amount of fear among those aware of the problem.

The good news is these vulnerabilities have been patched for quite some time now.

Also, the implant is actually incapable of remaining persistent after a reboot.

This means that any time an infected iPhone is restarted, such as when an iOS update is installed, for example, the implant is removed. (Of course, a vulnerable device could always be re-infected by visiting an affected site.)

Because of this, any device running iOS 12.4.1 is not only immune to these particular attacks, but it can’t be infected anymore either, due to the reboot when installing 12.4.1 (or later).

If you’re concerned you may be infected:

  • Install the latest iOS update, which will also reboot the phone and remove the malware, if present.

If you do have a phone that you suspect could be infected:

  • There is an easy test to see if it is, but you would have to do so before rebooting, as the malware needs to be active.
  • First, connect the affected device to a Mac via a Lightning (or, in the case of an iPad Pro, USB-C) cable.
  • Next, open the Console app on the Mac, which is found in the Utilities folder in the Applications folder.
  • In the Console, locate the phone in the Devices list and select it.
  • At this point, you’ll see log messages from the iOS device start scrolling past in the right-hand pane. Although the Console will not show you past messages, if you monitor, within 60 seconds or less, an infected iOS device should generate messages containing certain phrases, such as uploadDevice, postFile success, and timer trig.
Story image
High-tech heist: why fending off ransomware attacks is more challenging than ever in 2020
The COVID-19 crisis has unleashed a wave of sophisticated and disruptive ransomware attacks, and the onus is on businesses to ramp up their security measures if they’re to avoid falling victim, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Video: 10 Minute IT Jam – F-Secure talks APTs and the Lazarus Group
We spoke to F-Secure's director of detection and response, Matt Lawrence.More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More