A recently discovered vulnerability in legacy iOS devices from the iPhone 4S through to the iPhone X, known as checkra1n, is being exploited to target users looking to jailbreak their old smartphones, Cisco Talos has warned.
The process of jailbreaking iPhones – removing restrictions placed on the devices at the manufacturer or operator level to enable them to perform functions or run software not endorsed or controlled by Apple – has been possible since the first iPhone was launched 12 years ago, and is itself inherently insecure, although attractive to many.
The checkra1n jailbreak that is the subject of Talos’ warning exploits a vulnerability called Checkm8 that enables users to control the device’s boot process.
However, according to Talos researchers Warren Mercer and Paul Rascagneres, a new malicious actor is now targeting users with a fake website that purports to provide instructions on how to exploit the checkra1n vulnerability, but in reality downloads a malicious profile and opens the user up to having their device exploited for click fraud.
The fake website can easily be identified by differences in its URL, and it also contains misinformation on the variants of iPhones affected, and how to go about installing the jailbreak.
Once installed, an icon resembling a standard iOS app appears in the device’s springboard. However, it is in reality a bookmark to connect to a URL, opening a web page that uses an Apple Web Clip developer function, causing it to load in full screen without a search bar, URL bar or bookmarks, which means it would resemble an app user experience when it is not one.
The web page causes multiple click fraud redirects to occur on the device, finishing up with a slot machine game install with in-app purchases available. Device users are then asked to play the game for a seven-day period to ensure the jailbreak is properly unlocked.
“This is obviously nonsense,” said Mercer and Rascagneres. “The user will merely provide more interactive sessions through the gameplay, which may result in additional revenue for this attacker.”
The researchers said the attackers had potentially targeted users in several countries, including the UK and the US, and had registered the fake website’s domain within hours of the “legitimate” jailbreak website going live. The actors also appear to have updated the scam site in response to warnings appearing on Reddit.
Menger and Rascagneres warned that although in this case the malicious website merely led to click fraud, which in general defrauds online advertisers rather than device owners, the same technique could be used for more dangerous actions.
“Instead of a web clip profile, the attackers could implant their own MDM enrolment,” they wrote. “We previously discovered iOS malicious MDM campaigns. We strongly recommend never to install an unknown profile from the internet.”
In the past, click fraud campaigns have indeed been used as gateways for more severe threats – in some cases, access to devices compromised by click fraud campaigns has been sold to malware operators, for example – exposing end-users and their employers to having their devices and data encrypted in a ransomware campaign.