A new vulnerability has been discovered which exists across legacy iOS hardware and while some have used it to jailbreak their devices, Cisco Talos recently discovered that cybercriminals have set up a fake website looking to capitalize on users trying to jailbreak their iPhones.
However, instead of actually jailbreaking a user's device, the site just prompts users to download a malicious profile that the attackers then use to conduct click fraud.
Checkm8 is a bootrom vulnerability that impacts all legacy models of the iPhone from the 4S through the X. The campaign discovered by Cisco Talos tries to capitalize off of a project called checkrain which uses the checkm8 vulnerability to modify an iPhone's bootrom and load a jailbroken image onto the device.
- Unpatchable iOS flaw used to jailbreak older iPhones
- Apple issues critical iOS patch to plug slip-up that allowed jailbreaking
- Apple ups bug bounty rewards in security push
The Checkm8 vulnerability can be exploited using an open source tool called “ipwndfu” developed by AxiomX but the attackers being tracked by Cisco Talos run a malicious website called checkrain.com that preys on users searching for the legitimate checkrain project.
Checkrain
The fake checkrain site tries to appear to be legitimate by claiming to work with popular jailbreaking researchers such as “CoolStar” and Google Project Zero's Ian Beer. The page prompts users to download an application to jailbreak their phone but there actually is no application, as the attackers are trying to install a malicious profile onto the end-user device.
When a user first visits the fake website, they are presented with a download button. Cisco Talos noticed several things about the site, including the mention of A13 devices which aren't vulnerable to Checkm8, which indicate that the website is not legitimate.
Additionally, the website says that users can install the checkrain jailbreak without using a PC but in reality, the Checkm8 exploit requires that the iOS device be in DFU mode and is exploitable using an Apple USB cable. Another tip off was the fact that the fake checkrain site uses an SSL certificate from LetsEncrypt while the actual site doesn't even have an SSL certificate.
Once the download button is clicked, an app with a checkrain icon is downloaded an installed onto a user's iPhone. However, while the icon may appear like a regular app, it is actually a bookmark to connect to a URL.
Instead of providing users with an authentic jailbreak, the threat actors behind this campaign are instead using their devices to commit click fraud.
As tempting as a jailbroken device may seem, by trying to exploit the Checkm8 vulnerability, you could be opening your device and your data to hackers.
- Keep your devices protected with the best antivirus software
