The zero-click iOS malware attack via iMessage is actively infecting iPhones

Antivirus vendor Kaspersky has discovered a malware campaign explicitly aimed at infecting iPhones running iOS 15.7 via iMessage, but it can be found and prevented.

Kaspersky’s team has identified potentially suspicious behavior from multiple iOS devices. However, due to security limitations that limit direct internal examination of iOS devices, the company had to generate offline backups.

These backups were then analyzed using the mvt-ios (Mobile Verification Toolkit for iOS), resulting in the identification of indicators of compromise. The attack occurs when the targeted iOS device receives a message via the iMessage platform.

The message includes an attachment that contains an exploit. This exploit, explicitly created as a zero-click mechanism, triggers a vulnerability within the system, allowing malicious code to execute without requiring any user interaction.

After that, the exploit starts fetching more steps from the Command and Control (C&C) server. These stages include multiple exploits designed specifically for elevation of privilege.

Once the exploitation process is successful, a complete Advanced Persistent Threat (APT) platform is downloaded from the C&C server, establishing absolute control over the user’s device and data. The attack deletes the initial message and exploits the attachment to keep its nature hidden.

Interestingly, the malicious toolkit is not persistent, indicating that the limitations of the iOS environment may be a limiting factor. However, devices could be reinfected upon reboot by another attack.

Additionally, Kaspersky indicated that the attack actually impacted devices running iOS versions up to 15.7 as of June 2023. However, it remains uncertain whether the campaign exploits a newly discovered zero-day vulnerability in older versions of iOS.

The full extent and extent of the attack vector is still under investigation.

How to protect yourself

Kaspersky team is conducting an ongoing investigation into the final payload of the malware, which operates with root privileges. This malicious software possesses ability to collect user and system data as well as execute arbitrary code which is downloaded as plug-in modules from C&C server.

However, they say it is possible to reliably identify if a device has been compromised. Additionally, when a new device is set up by migrating user data from a previous device, that device’s iTunes backup will retain traces of the compromise that occurred on both devices, complete with accurate timestamps.

Kaspersky’s blog post provides comprehensive guidelines for determining if your iOS device is infected with malware. The process involves using the terminal command line application to install the software and inspecting specific files for any signs of the presence of malware.

• Create a backup with idevicebackup2 with the command “idevicebackup2 backup –full $backup_directory.”
• Next, install MVT using the command “pip install mvt.”
• Later, users can inspect the backup using the command “mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory.”
• Finally, check the timeline.csv file for indicators with data usage lines mentioning the process named “Backup agent.”

This specific binary is considered deprecated and should not normally be present in the device usage timeline during normal operation.

It is important to note that these steps require some level of technical expertise and should only be attempted by experienced users. Updating to iOS 16 is the best and easiest way to stay safe.