Hackers Exploit iOS Settings to Trigger Fake iOS Updates on Hijacked Devices

A sophisticated mobile attack vector involves a deceptive iOS update that masquerades as the legitimate iOS 18, tricking users into installing malicious code. 

The persistence mechanism allows threat actors to maintain covert control over the compromised device, facilitating data exfiltration and continued device exploitation without user awareness. 

Understanding the intricate workings of such attacks necessitates a thorough examination of the attack lifecycle, looking at stages from initial access to post-exploitation, much like the MITRE ATT&CK framework. 

Adversaries can leverage the iOS settings interface to manipulate system update settings, crafting deceptive prompts and notifications mimicking legitimate iOS updates, which aim to prolong undetected device access and extend the adversary’s data collection window. 

With an average of 207 days for breach identification and 70 days for containment, such persistence mechanisms significantly increase the risk of data exfiltration and maintain adversary footholds on compromised devices. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The Technique Used

Attackers employ advanced obfuscation techniques to sustain prolonged device access.

By consistently masking malicious activities as legitimate system processes, particularly during simulated iOS updates, they create a deceptive environment, which is crucial for establishing persistent control and escalating device compromise. 

The system manipulates user trust by replicating the visual and linguistic elements of authentic iOS updates. 

Through designed alerts and progress indicators, it constructs a deceptive facade of legitimacy, inducing a false sense of security, which leverages user familiarity with the iOS ecosystem to circumvent vigilance and facilitate unauthorized actions. 

The counterfeit iOS update system employs sophisticated techniques to deceive users and hijack the update process. 

By intercepting and modifying device-server communication, it redirects the device to a malicious update environment, which is a circumvention of Apple’s legitimate channels and contingent on prior device compromise. 

Compromised devices falling victim to a fake update system face severe consequences. The update mechanism is irreparably damaged, preventing the installation of the latest iOS 18 version. 

It leaves devices highly vulnerable to exploitation by malicious actors, as they lack critical security patches and system enhancements available in the new OS. 

To mitigate the risk of falling victim to deceptive update prompts, users must exercise caution when encountering iOS update notifications. 

Verifying the authenticity of these prompts exclusively through trusted channels, such as Apple’s official website or the device’s Settings menu, is imperative to prevent unauthorized system modifications and potential data breaches. 

A newly identified iOS vulnerability exposes a sophisticated attack vector, underscoring the dynamic nature of modern cybersecurity threats and highlighting the critical need for heightened vigilance and proactive defense strategies within organizations. 

By dissecting this attack technique, Jamf Threat Labs aims to equip businesses with the knowledge essential to protect both individuals and corporate assets from the evolving iOS threat landscape.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago