Antivirus provider Kaspersky has detected a malware campaign that explicitly aims to infect iPhones running iOS 15.7 through iMessage – but it can be found and prevented.
iOS devices have been specifically targeted with malware
The Kaspersky team has identified possible suspicious behavior from multiple iOS devices. However, due to security restrictions restricting direct internal scanning of iOS devices, the company had to create offline backups.
These backups were then subjected to analysis using mvt-ios (Phone Verification Toolkit for iOS), which identified indications of compromise. The attack occurs when the target iOS device receives a message via the iMessage platform.
The message includes an exploit attachment. This exploit, which was clearly designed as a zero-click mechanism, leads to a security vulnerability within the system, allowing malicious code to be executed without requiring any user intervention.
Then, the exploit starts retrieving additional phases from the C&C server. These stages include more exploits specifically designed to raise perks.
Once the exploit proves successful, the comprehensive APT (Advanced Persistent Threat) platform is downloaded from the command and control server, establishing ultimate control over the device and user data. The attack destroys the raw message and exploits the link to maintain its confidential nature.
Interestingly, the set of malicious tools is not consistent, which indicates that the limitations of the iOS environment may be a limiting factor. However, devices can be re-infected upon reboot with another attack.
Furthermore, Kaspersky indicated that the attack effectively affected devices running iOS versions up to 15.7 as of June 2023. However, it remains uncertain whether the campaign is exploiting a zero-day vulnerability just discovered in older versions of iOS.
The full range and size of the attack vector is still under investigation.
How to protect yourself
The Kaspersky team is constantly investigating the final malware payload, which runs with root privileges. This malware has the ability to collect both system and user data, as well as to execute arbitrary code that is downloaded as additional modules from a command and control server.
However, they say it is possible to reliably determine whether a device has been hacked. Furthermore, when setting up a new device by migrating user data from a previous device, the iTunes backup for that device will retain traces of the hack that occurred on both devices, complete with exact timestamps.
Kaspersky’s blog post provides comprehensive instructions on determining if your iOS device is infected with malware. The process entails using a Terminal command-line application to install programs and to scan specific files for signs of malware.
- Create a backup with idevicebackup2 using the command “idevicebackup2 backup – full $ backup_directory. ”
- Next, install MVT with the command “mvt install point. “
- After that, users can check the backup using the command “mvt-ios -o backup check $mvt_output_directory $decrypted_backup_directory. ”
- Finally, check the timeline.csv file for indicators with data usage lines that mention the process called “Backup agent. “
This particular binary is considered obsolete and should not normally be present in the device’s usage schedule during regular operation.
It is important to note that these steps require a certain level of technical expertise and should only be attempted by knowledgeable users. Updating to iOS 16 is the best and easiest way to protect yourself.
#iOS #zeroclick #malware #attack #iMessage #actively #infects #iPhones