Tuesday, January 21, 2025
Homecyber securityHackers Exploit iOS Settings to Trigger Fake iOS Updates on Hijacked Devices

Hackers Exploit iOS Settings to Trigger Fake iOS Updates on Hijacked Devices

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated mobile attack vector involves a deceptive iOS update that masquerades as the legitimate iOS 18, tricking users into installing malicious code. 

The persistence mechanism allows threat actors to maintain covert control over the compromised device, facilitating data exfiltration and continued device exploitation without user awareness. 

Understanding the intricate workings of such attacks necessitates a thorough examination of the attack lifecycle, looking at stages from initial access to post-exploitation, much like the MITRE ATT&CK framework. 

Adversaries can leverage the iOS settings interface to manipulate system update settings, crafting deceptive prompts and notifications mimicking legitimate iOS updates, which aim to prolong undetected device access and extend the adversary’s data collection window. 

With an average of 207 days for breach identification and 70 days for containment, such persistence mechanisms significantly increase the risk of data exfiltration and maintain adversary footholds on compromised devices. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The Technique Used

Attackers employ advanced obfuscation techniques to sustain prolonged device access.

By consistently masking malicious activities as legitimate system processes, particularly during simulated iOS updates, they create a deceptive environment, which is crucial for establishing persistent control and escalating device compromise. 

The system manipulates user trust by replicating the visual and linguistic elements of authentic iOS updates. 

Through designed alerts and progress indicators, it constructs a deceptive facade of legitimacy, inducing a false sense of security, which leverages user familiarity with the iOS ecosystem to circumvent vigilance and facilitate unauthorized actions. 

The counterfeit iOS update system employs sophisticated techniques to deceive users and hijack the update process. 

By intercepting and modifying device-server communication, it redirects the device to a malicious update environment, which is a circumvention of Apple’s legitimate channels and contingent on prior device compromise. 

Compromised devices falling victim to a fake update system face severe consequences. The update mechanism is irreparably damaged, preventing the installation of the latest iOS 18 version. 

It leaves devices highly vulnerable to exploitation by malicious actors, as they lack critical security patches and system enhancements available in the new OS. 

To mitigate the risk of falling victim to deceptive update prompts, users must exercise caution when encountering iOS update notifications. 

Verifying the authenticity of these prompts exclusively through trusted channels, such as Apple’s official website or the device’s Settings menu, is imperative to prevent unauthorized system modifications and potential data breaches. 

A newly identified iOS vulnerability exposes a sophisticated attack vector, underscoring the dynamic nature of modern cybersecurity threats and highlighting the critical need for heightened vigilance and proactive defense strategies within organizations. 

By dissecting this attack technique, Jamf Threat Labs aims to equip businesses with the knowledge essential to protect both individuals and corporate assets from the evolving iOS threat landscape.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Vim Command Line Text Editor Segmentation Vulnerability Patched

Christian Brabandt, a prominent figure in the Vim community, announced the patching of a...

Multiple Azure DevOps Vulnerabilities Let Inject CRLF Queries & Rebind DNS

Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request...

Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail

Socket’s threat research team has identified a series of malicious npm packages specifically designed...

Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware

Researchers have reported a series of sophisticated cyber attacks aimed at organizations in Chinese-speaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Vim Command Line Text Editor Segmentation Vulnerability Patched

Christian Brabandt, a prominent figure in the Vim community, announced the patching of a...

Multiple Azure DevOps Vulnerabilities Let Inject CRLF Queries & Rebind DNS

Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request...

Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail

Socket’s threat research team has identified a series of malicious npm packages specifically designed...