Hackers Exploit iOS Settings to Trigger Fake iOS Updates on Hijacked Devices

A sophisticated mobile attack vector involves a deceptive iOS update that masquerades as the legitimate iOS 18, tricking users into installing malicious code. 

The persistence mechanism allows threat actors to maintain covert control over the compromised device, facilitating data exfiltration and continued device exploitation without user awareness. 

Understanding the intricate workings of such attacks necessitates a thorough examination of the attack lifecycle, looking at stages from initial access to post-exploitation, much like the MITRE ATT&CK framework. 

Adversaries can leverage the iOS settings interface to manipulate system update settings, crafting deceptive prompts and notifications mimicking legitimate iOS updates, which aim to prolong undetected device access and extend the adversary’s data collection window. 

With an average of 207 days for breach identification and 70 days for containment, such persistence mechanisms significantly increase the risk of data exfiltration and maintain adversary footholds on compromised devices. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The Technique Used

Attackers employ advanced obfuscation techniques to sustain prolonged device access.

By consistently masking malicious activities as legitimate system processes, particularly during simulated iOS updates, they create a deceptive environment, which is crucial for establishing persistent control and escalating device compromise. 

The system manipulates user trust by replicating the visual and linguistic elements of authentic iOS updates. 

Through designed alerts and progress indicators, it constructs a deceptive facade of legitimacy, inducing a false sense of security, which leverages user familiarity with the iOS ecosystem to circumvent vigilance and facilitate unauthorized actions. 

The counterfeit iOS update system employs sophisticated techniques to deceive users and hijack the update process. 

By intercepting and modifying device-server communication, it redirects the device to a malicious update environment, which is a circumvention of Apple’s legitimate channels and contingent on prior device compromise. 

Compromised devices falling victim to a fake update system face severe consequences. The update mechanism is irreparably damaged, preventing the installation of the latest iOS 18 version. 

It leaves devices highly vulnerable to exploitation by malicious actors, as they lack critical security patches and system enhancements available in the new OS. 

To mitigate the risk of falling victim to deceptive update prompts, users must exercise caution when encountering iOS update notifications. 

Verifying the authenticity of these prompts exclusively through trusted channels, such as Apple’s official website or the device’s Settings menu, is imperative to prevent unauthorized system modifications and potential data breaches. 

A newly identified iOS vulnerability exposes a sophisticated attack vector, underscoring the dynamic nature of modern cybersecurity threats and highlighting the critical need for heightened vigilance and proactive defense strategies within organizations. 

By dissecting this attack technique, Jamf Threat Labs aims to equip businesses with the knowledge essential to protect both individuals and corporate assets from the evolving iOS threat landscape.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download