It’s only been a few weeks since a researcher released an iOS exploit that could allow outsiders to jailbreak an iPhone, but scammers already are leveraging the tool to try commandeer victims’ devices.
Last month, a researcher known as @axi0mx published checkm8, a series of technical instructions that enable users to remove restrictions imposed on their iPhone by Apple or telecommunication companies. Now, after weeks of publicity around checkm8, attackers have launched a malicious website that masquerades as a legitimate page, only to launch a hacking tool that tries to take over an affected device.
Cisco’s Talos threat intelligence crew on Tuesday said they found checkrain[.]com, a site meant to look like an offshoot of checkra1n, a legitimate project that researchers can use to modify their iPhone’s processes and jailbreak their device. Instead of allowing that, though, the malicious checkrain site encourages visitors to download an application that clicks on risky advertisements and installs iOS video games. All the while, it looks like the true checkra1n installation process is underway.
“The chain used in this processes through several ad-tracking, verification, geolocation and, finally, campaign delivery,” wrote researchers Warren Mercer and Paul Rascagneres.
The fake checkrain page downloads a slot machine game called “POP! Slots,” and instructs the user to use the app for seven days to guarantee the jailbreak works.
“This is obviously nonsense — the user will merely provide more interactive sessions throughout the gameplay, which may result in additional revenue for the attack,” the Talos blog post goes on.
It’s not clear who is behind this effort, or how much money they made from fraudulent clicks. But it’s become common for scammers to create apps that try to capitalize off another’s popularity, only instead of providing what they promised, directing users to a series of landing points that monetize their connection.
The checkm8 maneuver works on devices with Apple chipsets from A5 to A11, which have powered iPhones and iPads since 2011. Apple’s newer chip models — A12 and A13 — are not affected. It works by exploiting flaws in the bootrom process, allowing users to more control over their device while also removing some of the safeguards meant to keep hackers out.