A. M. Apple’s control over its ecosystem of devices and apps has historically been tight. In addition, there are several built-in security features, such as strong encryption and containerization, that help prevent data leakage and limit the spread of malware. Despite all this, ESET, a leading proactive threat detection company, warns that risks are not completely eliminated, as everyday scams and other threats bombard iOS users as well, and while some are more common than others, they all demand attention.
“The fact that iOS apps typically come from Apple’s official App Store and must pass stringent tests to be approved has avoided security and privacy-related headaches over the years. But, the recent EU antitrust law, known as the Digital Markets Act (DMA), seeks to give iOS users the option to use third-party app marketplaces. This will bring new challenges to Apple in protecting iOS users from potential harm and those who use its products, as they will have to be more aware of threats. This change in the rules of the game will undoubtedly be exploited by cybercrime”,says Camilo Gutiérrez Amaya, head of the Computer Security Lab at ESET Latin America.
In addition to the risks that could arise from AMD compliance, ESET analyzes the different types of threats, possibly more immediate, that target iOS users around the world:
Jailbreak devices: Deliberately unlocking a device to allow what Apple calls “unauthorized modifications” could violate the Software License Agreement and disable some built-in security features, such as Secure Boot and Data Execution Prevention. It will also mean that the device will stop receiving automatic updates. By being able to download apps from outside the App Store, you are exposed to malicious and/or buggy software.
Malicious Apps: While Apple does a good job of screening apps, it doesn’t get it right 100% of the time. Malicious apps recently detected in the App Store include: A fake version of the LastPass password manager designed to collect credentials, a malicious screenshot-reading program dubbed “SparkCat” disguised as artificial intelligence and food delivery apps, and a fake crypto wallet app called “Rabby Wallet & Crypto Solution”.
App downloads from websites: As detailed in the latest ESET Threat Report, progressive web apps (PWAs) allow direct installation without the need for users to grant explicit permissions, meaning downloads could go undetected. ESET discovered this technique used to disguise banking malware as legitimate mobile banking apps.
Phishing/social engineering: Phishing attacks via email, text (or iMessage) and even voice are common. They impersonate legitimate brands and trick the user into providing credentials, clicking on malicious links, or opening attachments to trigger malware downloads. Apple IDs are among the most prized logins, as they can provide access to all data stored in an iCloud account and/or allow attackers to make iTunes/App Store purchases. From ESET they advise to be careful with:
- Fake pop-ups claiming that the device has a security issue
- Fraudulent phone calls and FaceTime calls posing as Apple Support or partner organizations
- Fake promotions offering giveaways and sweepstakes
- Calendar invitation spam with phishing links
In a highly sophisticated campaign, the threat authors used social engineering techniques to trick users into downloading a mobile device management (MDM) profile that would allow them to control victims’ devices. With this, they deployed the GoldPickaxe malware, designed to collect facial biometric data and use it to bypass banking logins.
Risks of public wifi networks: A public wifi hotspot can be a fake access point created by threat actors to monitor web traffic and steal sensitive information such as banking passwords. Even if the access point is legitimate, many do not encrypt data in transit, which means that hackers with the right tools could see the websites you visit and the credentials you enter. That’s why ESET recommends using VPN, which creates an encrypted tunnel between your device and the Internet.
Vulnerabilities: Although Apple devotes a lot of time and effort to ensure that its code is free of vulnerabilities, there are sometimes flaws in production. In these cases, hackers can take advantage if users have not updated their device, for example, by sending malicious links in messages that trigger an exploit if clicked on.
- Last year, Apple was forced to patch a vulnerability that could allow attackers to steal information from a locked device using Siri voice commands
- Occasionally, threat actors and commercial companies themselves research new (zero-day) vulnerabilities to exploit. Although rare and highly targeted, attacks exploiting these vulnerabilities are often used to covertly install spyware to spy on victims’ devices.
While there is malware lurking on iOS devices, it is also possible to minimize exposure to threats. ESET shares the top tactics:
- Keep iOS and all apps up to date. This will reduce the window of opportunity for threat actors to exploit any vulnerabilities in older versions to achieve their goals.
- Always use strong, unique passwords for all accounts, perhaps using ESET’s password manager for iOS, and enable multifactor authentication if offered. This is easy on iPhones, as it will require a simple Face ID scan. This will ensure that even if they get the passwords, they won’t be able to access the apps without the face scan.
- Enable Face ID or Touch ID to access the device, backed up with a secure password. This will keep the iPhone safe in case of loss or theft.
- Do not jailbreak the device, for the reasons mentioned above. It will most likely make your iPhone less secure.
- Beware of phishing. That means treating unsolicited calls, text messages, emails, and social networking messages with extreme caution. Do not click on links or open attachments. If you really need to do so, check separately with the sender that the message is legitimate (That is to say by not replying to the details in the message). Look for signs of social engineering, such as grammatical and spelling errors, an urgency to act, gifts and offers that are too good to be true, or comments from the sender that do not match the purported sender.
- Avoid public wifi networks. If you must use them, try to use a VPN. At the very least, do not log in to any valuable account or enter sensitive information on a public wifi network.
- Try to limit yourself to the App Store for any downloads to minimize the risk of downloading anything malicious or risky.
- If you think you may be targeted by spyware (often used against journalists, activists and dissidents), activate blocking mode.
- Pay attention to the telltale signs of a malware infection, which could include slow performance, unwanted advertising pop-ups, device overheating, new apps appearing on the home screen, or increased data consumption.
“While Apple’s iPhone remains one of the most secure devices out there. This does not mean that they are free from threats. Staying alert, knowing the possible risks and taking the necessary protective measures help to keep information and devices safe”, concludes Gutiérrez Amaya, Head of the Computer Security Lab at ESET Latin America.
