Warning about malicious iPad App - Created root certs and gains access to email and notes

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
Recently, I was helping a relative as their iPad was acting up. In safari, I noticed a lot of weird websites showing up (open safari and 5-8 tabs open (not previously browsed). They are either ads or pushing "Your device is infected" I assume fake AV. It created 4 Comodo Root certificates which I eventually found. It also created an account found under email. I am not sure I can post the app name here (Will ask mods for approval w/i a few days) but I will say that it is an app geared towards an older demographic of individuals and its purpose is for saving money. I did not see it in the app store. It appears to have been launched through Safari and installed a shortcut on the Home Screen which, when clicked on opens Safari and their webpage (I believe it is opening a lot of pages to get some type of pay per click or affiliate $). The relative says they aren't worried about it and uses their CC to pay for things. I beg them to go to the Apple store to have they simple reset it. Ran them through VTotal, they pop-up malicious).

The end user is the weakest link. The individual does not understand hacked email accounts (Well, its from my friend's email address, so it has to be legitimate (there is no content except a website link, and they click on it - It was an email acct that had been hacked). :rolleyes:


Warning about malicious iPad App - Created 4 root certs and gains access to email and notes.


There was no way to remove the account, not the root certs. Apple support said that is bad and it must be fully reset and recommended if possible to set it up as new. (In case the backups were somehow infected).

So a heads up- there is malware out there.

My understanding is that iOS is pretty locked down kernel wise and that is why Antivirus is not as robust, effective or necessary as it is on a Windows PC. I was told it may provide some protection from malicious URL's (which is important - but otherwise it's iffy.


Does anyone have input into this?

The only thing I can think of is Sophos,since it is low performance impact. They definately need malicious URL detection at the least!
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Yes if you could post the suspected app and the VT links that show that the app was indeed malicious that would be great. Also is your iPad jailbroken at all? Apple is pretty restrictive on what apps can do.
 
  • Like
Reactions: Logethica

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Just a thought, have you tried removing the Configuration Profile from iOS?
  • Open Settings
  • General
  • Profiles
  • 'Delete Profile'
  • Enter Passcode (if set) and Delete
 
  • Like
Reactions: soccer97

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
Yes if you could post the suspected app and the VT links that show that the app was indeed malicious that would be great. Also is your iPad jailbroken at all? Apple is pretty restrictive on what apps can do.


No, it's not jailbroken (unless whatever this is exploited a vuln I always checked to ensure the OS was up to date. I have no clue how it got on her device. I tried deleting the icon from the homescreen per apple support. Turns out it came back. 4 root certs still. Impossible to remove the email acct. How would I get VT links?

The first and 3rd link are Apple Support Discussions. The 2nd is a Google Search with results from Apple Support discussions.





One thing they have in commoin is the domain name for the email that is setup, It seems to come in through Safari. Probably one of those popups and the user clicks it and then we get this mess.


I would just reset the thing, The problem is said relative has certain documents she is seriously scared to lose (rightfully so, and Apple claims it's a wipe or good luck. Be careful what you download.


Thanks to all
 
  • Like
Reactions: Logethica

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
Just a thought, have you tried removing the Configuration Profile from iOS?
  • Open Settings
  • General
  • Profiles
  • 'Delete Profile'
  • Enter Passcode (if set) and Delete


The only issue is I don't think it's actually an App (couldn't find it in the App store) otherwise I would be on it now. It risks the network, even though its behing a wireless gateway w/ firewall
 
  • Like
Reactions: Logethica

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
No, it's not jailbroken (unless whatever this is exploited a vuln I always checked to ensure the OS was up to date. I have no clue how it got on her device. I tried deleting the icon from the homescreen per apple support. Turns out it came back. 4 root certs still. Impossible to remove the email acct. How would I get VT links?

The first and 3rd link are Apple Support Discussions. The 2nd is a Google Search with results from Apple Support discussions.





One thing they have in commoin is the domain name for the email that is setup, It seems to come in through Safari. Probably one of those popups and the user clicks it and then we get this mess.


I would just reset the thing, The problem is said relative has certain documents she is seriously scared to lose (rightfully so, and Apple claims it's a wipe or good luck. Be careful what you download.


Thanks to all

Yes actually certs like these can be issued without any app download, like if you download any VPN app from the app store it would ask you to download the cert which redirects you to a webpage first before landing you in settings, I suspect your relative must have clicked on one of those links. But it is also possible to remove the cert by following @Huracan 's instructions! Resetting everything is a real pain when you need to redownload everything again manually
 

soccer97

Level 11
Thread author
Verified
May 22, 2014
517
I will try to troubleshoot and follow his instructions by the end of this week when I can get the iPad back from her.

Thank You. Yes, a reset is a real pain if it can be avoided.
 
  • Like
Reactions: Logethica

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top