Eager iOS jailbreakers tricked into click fraud

Users, including people in Australia, hoping to get full control of their Apple iOS devices - a process called jailbreaking - have been tricked into committing click fraud via malicious fake website.

The unknown attackers are capitalising on users looking for a jailbreak called Checkra1n that has not yet arrived, to lure people.

So far people in the United States, Australia, Europe, Egypt, Canada, Turkey, Nigeria, Vietnam and Venezuela have fallen for the fake site.

Checkra1n is based on the Checkm8 vulnerability that can be exploited with the ipwndfu open source tool, both released by Axi0mX last month.

The attackers have created a site called checkrain[.]com with a bogus jailbreak, security researchers from Cisco's Talos Group said.

If users download what appears to be a mobile device management profile to install the jailbreak, an icon is installed on the iPhone or iPad's Springboard that is an Apple full screen Web Clip bookmark that connects to a URL.

When users click on the icon, Talos said multiple redirects take place leading to the click fraud,  and downloads a game called Pop! Slots from the App Store.

To earn more revenue from the click fraud, the attacker's fake jailbreak processes asks users to complete level 8 of the game within 7 days to complete the device unlock.

To give the site credibility, the attackers festooned it with photos and the names of well-known security researchers including Google Project Zero's Ian Beer and Brandon Azad, and jailbreaker CoolStar.

Talos warned that while the malicious website only engages in click fraud currently, the same technique could be used to enrol devices in a harmful MDM system.

Users should never install unknown iOS profiles from the internet, Talos warned.

The Checkm8 vulnerability is unpatchable by Apple, and exists in the boot read only memory of iDevices.

It can be exploited to modify the boot ROM in system memory, on older iOS devices with Apple's A5 to A11 system on a chip hardware. 

As it has to be loaded into into memory, Checkm8 does not persist and has to be reapplied with the iOS device in device firmware update mode and connected to a PC with a USB cable. 

The fake Checkrain claims to work on newer A12 and A13 iOS devices, which is not possible as Apple patched the vulnerability on those.

Zuk Avraham of San Francsico-based security company Zimperium told iTnews that the Checkm8 vulnerability is very useful for analysis purposes and will help researchers find more bugs.

"It helps to liberate the sandbox from existing operating system restrictions without compromising on security following a reboot," Avraham said.

"A capability to analyse devices, such as the one provided through checkm8, must be available on every modern device / operating system," he added.

Apple has been notoriously unwilling to allow researchers full access to iOS devices and quick to patch any vulnerability that could open them up.

The Checkm8 jailbreak is very low risk, and will lead to more attacks being discovered, Avraham believes.

"I would encourage Apple to free the sandbox and voluntarily offer similar options on all devices," he said.