Maintaining persistence through deception: The threat of fake iOS updates
Jamf Threat Labs explores how bad actors use fake iOS updates to maintain persistence on compromised devices.
Research led by: Hu Ke, Nir Avraham
With a rapidly evolving mobile threat landscape, maintaining a secure workspace can only be achieved through layered defenses. And while the concept is not new to security and risk management practitioners, the techniques used to protect a mobile workforce are inherently different than those used to secure legacy devices operating within the confines of a corporate perimeter.
When studying a new threat, researchers at Jamf Threat Labs strive to understand how it operates end-to-end, looking not just at how threat actors gain initial access to a device, but how they operate on the device, how they collect valuable information and how that data is exfiltrated from the device.
Though our researchers use frameworks like MITRE ATT&CK to study the various phases of an attack lifecycle, a detailed discussion of an entire attack sequence is outside the scope of this blog. Instead, we’ll focus today on one specific phase of mobile attack: maintaining persistence. Specifically, we will explore the complex workings of a theoretical iOS update that deceives users of a compromised device, and that they are downloading and installing the newest and most secure OS available, which is depicted as iOS 18 in this scenario.
Unveiling the deception
In our research on mobile “persistence” techniques, we explore how adversaries could exploit the iOS settings interface and tamper with the system update settings, complete with prompts and notifications that indicate an available update of iOS 18.
For an attacker who has successfully gained access to a target device, their goal is to remain on the device in a position to collect valuable data for as long as possible. Independent research shows that it takes 277 days on average to identify and contain a breach: 207 days to identify and 70 days to contain.
Source: https://www.ibm.com/reports/data-breach-action-guide
To maintain their presence on a device for such an extended time frame, an attacker will need to hide their tracks and disguise their activities as best as possible. In the case of our simulated iOS update, the attacker is trying to convince the user that the device is operating normally. This apparent authenticity is a meticulously crafted facade to maintain persistence and further compromise the integrity of the device.
Exploiting user trust
The effectiveness of our simulated system hinges on exploiting user trust. By closely imitating the visual cues and language of real iOS updates, we create a false sense of security. Each element, from the initial alert to the progress indicators, is carefully designed to maintain the illusion.
Technical foundations
Beneath the surface of our counterfeit iOS update system is a sophisticated mechanism. We use advanced techniques to fool users, intercepting and altering communications between the device and the update server. This manipulation redirects the device to a controlled fake update environment, effectively sidestepping Apple's official channels. It's crucial to note that this scenario assumes the device has already been compromised.
Consequences of compromise
The impact of falling for our fake update system is significant. Once a device is compromised, it cannot be updated to the latest version — in our case iOS 18, leaving it vulnerable to further exploitation by malicious entities.
Risk mitigation
To combat this threat, users should be vigilant and cautious with update prompts on their iOS devices. Authenticating update notifications through trusted sources like Apple's official website or Settings menu can help users avoid falling victim to such deceptive tactics.
Comprehensive mobile security with Jamf
With Apple recently alerting iPhone users to new adversary attacks on iOS, integrating mobile security into your strategy is more vital than ever. Jamf provides robust, layered defense through our comprehensive suite of solutions:
- Device enrollment for company-owned and BYOD: Jamf offers centralized control over company-owned devices and user-enrolled work partitions to ensure that any sanctioned device is ready for work.
- Secure device configuration and compliance audits: Jamf provides capabilities to align with existing compliance standards or to design your own, and to audit how devices adhere to those standards over time.
- Modern endpoint protection and mobile threat defense: Jamf offers industry leading endpoint security for both Mac and mobile (iOS and Android) devices.
- Advanced detection and response: Jamf maintains a highly effective mobile detection and response service.
- Modern remote access: Jamf offers a native zero-trust access solution that is built for the modern era, with integrated user identity checks and continuous device risk assessments factored into policies.
Conclusion
This conceptual iOS update showcases just how creative and complex modern cybersecurity threats can be. It is crucial to remain vigilant and proactive, and by highlighting the specifics of this technique, we hope to educate and empower organizations with the knowledge they need to safeguard individuals and their business against the ever-changing threats in the iOS environment.
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.