Cisco Talos experts warned users that attackers are actively using Checkm8 jailbreak.At the end of September 2019, an information security researcher known as axi0mX published an exploit, suitable for jailbreaking of virtually any Apple device with A5 to A11 chips released between 2011 and 2017.
The development was called Checkm8 and is very significant, as it exploits a vulnerability in bootrom, and the author himself describes his exploit as “permanent and unrecoverable”.
Now, Cisco Talos experts have warned that attackers have not ignored this event and are already parasitizing on Checkm8.
“Some users want to jailbreak their devices because it allows them to perform a lot of additional actions on their devices that Apple has locked down. This can be simple tasks like SSHing (remotely accessing) the iOS device, changing icons and themes on the iOS device, and also for illegitimate use such as pirated software and games”, — write Cisco Talos researchers.
Researchers discovered the site checkrain[.]com, which mimics the resource checkra1n[.]com, on which a group of information security enthusiasts (including axi0mX itself) plan to publish the first user-friendly jailbreak tool based on Checkm8. Although researchers have not yet released their tool, fraudsters are already taking advantage of the situation.
The fake site is used to distribute the .mobileconfig configuration file. When installed on the victim’s device, this file adds a shortcut to the user’s screen. After clicking on the shortcut, a headless browser (browser without user interface elements) is launched, which loads the page from the scam site, pretending to be a native application.
With this “legend,” victims can be offered to install several different games, and all of them are legitimate applications actually hosted on the iOS App Store. That is, this fraudulent scheme is not used to distribute malvari, but helps to earn money both for the operators of the fake site and for their partners who develop these games and buy such “advertising” for themselves.
Researchers note that for a more or less technically educated user, all this will look like complete nonsense, but scammers usually prey on users who do not have technical knowledge.
Recommendations from Cisco Talos
This malicious website simply leads to click fraud. But the same technique could be used for more malicious and critical actions. Instead of a “web clip” profile, the attackers could implant their own MDM enrolment. We previously discovered iOS malicious MDM campaigns here, here and here. We strongly recommend to never install an unknown profile from the internet.
Talos recommend the following methods to check if your phone has additional profiles or is enrolled in an MDM platform:
- Users can view restrictions set by MDM profiles in Settings > General > Profiles & Device Management > [MDM configuration] > Restrictions
- Users can also check which applications have an MDM profile installed on their device in Settings > General > Profiles & Device Management > [MDM configuration] > Apps.