Security News

Fake iOS Jailbreak Lures iPhone Users to Click Fraud Campaign

iPhone users expecting to download an iOS jailbreak* have been lured into a click fraud campaign instead.

Scammers are using a fake website that, while claiming to offer iPhone users the checkra1n jailbreak, merely prompts them to download a malicious profile, reports Cisco Talos researchers.

The checkra1n jailbreak uses the checkm8 vulnerability to modify the bootrom, which allows users to control the boot process. The malicious website - checkrain[.]com - asks users to install a "mobileconfig" profile on their iOS device. This profile even comes with an SSL certificate - which checkra1n doesn't use - to add an aura of authenticity.

Once installed, a checkrain icon appears on the user's iPhone.

"The icon is in fact a kind of bookmark to connect on a URL," said the researchers. "(It) may look like an app from the user's perspective, but it actually doesn't work like one at all on the system level."

When the user clicks on the icon, the next step in the ruse unfolds and a web page loads in full screen with no search bar, address/URL bar and bookmarks and a message stating: "Checking your device before accessing checkra1n jailbreak."

Several more steps of the download process take place, including numerous redirects, before finishing on an iOS game install, with in-app purchases available.

"It really goes through the effort of trying to make the user believe they're being exploited," said the researchers. "But all that's happening is they're generating click fraud (by) making sure you install one of these apps it then uses to make revenue for the adversary."

While this 'scenario' only involved click fraud, the researchers stated that what happened here could easily be used for "more malicious and critical actions. Instead of a web clip profile, the attackers could implant their own MDM (mobile device management) enrolment."

*A jailbreaking device bypasses Apple's restrictions on the operating system and allows users to install apps that aren't authorised by Apple. On the downside, the security protections built into the iOS are removed.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join 916 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: