Image credit : The Hacker News
A malware operation specifically designed to attack iPhones running iOS 15.7 and lower using iMessage has been identified by antivirus company Kaspersky, although it can be identified and stopped.
The Kaspersky researchers discovered possibly suspicious activity coming from various iOS devices. However, the business was forced to create offline backups because of security restrictions that prevent direct internal scrutiny of iOS devices.
The study of these backups using the mvt-ios (Mobile Verification Toolkit for iOS) led to the discovery of evidence pointing to compromise. When an iMessage message is received by the targeted iOS device, the attack starts.
An exploit-containing attachment is included with the communication. This exploit, designed specifically as a zero-click approach, activates a system vulnerability, allowing malicious code to be executed without requiring user intervention.
The attack then starts to request further phases from the Command and Control (C&C) server. There are more exploits designed expressly for granting privileges in these phases.
A thorough APT (Advanced Persistent Threat) platform is downloaded from the C&C server after the exploitation procedure has been accomplished, giving the attacker complete access over the device and the user’s data. The assault destroys the primary message and uses the attachment to preserve its secrecy.
It’s interesting to note that the malicious toolkit isn’t persistent, suggesting that the iOS environment’s constraints may play a role. However, a subsequent attack may reset the devices and reinfect them.
Furthermore, according to Kaspersky, as of June 2023, the assault had an impact on iOS 15.7-compatible devices. It’s still unclear, though, whether the campaign takes advantage of a recently identified zero-day vulnerability in an older version of iOS.
Investigations are still being conducted to determine the attack vector’s full breadth and depth.
How to safeguard oneself
The team at Kaspersky is continuously looking into the malware’s actual payload, which runs with root access. This malicious software has the capacity to download arbitrary code from the C&C server in the form of plugin modules, execute it, and gather information about users and the system.
However, they assert that a device’s vulnerability can be reliably determined. Additionally, if user data from a previous device is transferred to a new device for setup, the iTunes backup of that device will still have evidence of breach on both devices, complete with precise timestamps.
Comprehensive instructions on how to determine whether the malware is on your iOS device are provided in Kaspersky’s blog post. The procedure comprises installing software using the Terminal command-line program and checking particular files for virus presence.
- Create a backup with idevicebackup2 with the command “idevicebackup2 backup — full $backup_directory.”
- Next, install MVT using the command “pip install mvt.”
- After that, users can inspect the backup using the command “mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory.”
- Finally, check the timeline.csv file for indicators with data usage lines that mention the process named “BackupAgent.”
It’s crucial to remember that these procedures call for a certain level of technical proficiency and should only be tried by experienced users. The best and simplest approach to safeguard yourself is to update to iOS 16.