A cybergang has created a malicious website that dangles the reward of being able to jailbreak an iPhone, but instead injects the device with click fraud malware.
The threat actors use the legitimate Checkm8 vulnerability, which does allow some legacy iOS devices to be jailbroken, as the basis for their program, reported Cisco Talos researchers Warren Mercer and Paul Rascagneres. Essentially, the group set up a website called checkrain[.]com.
Checkra1n purportedly uses the Checkm8 vulnerability which leverages a race condition vulnerability found in the bootrom, a read-only memory chip that contains the first code that initially loads whenever a user starts the system. This code cannot be altered, and so any flaw found within it is effectively permanent.
To fully flesh out the site and make it more appealing and legit the threat actors claim to be working with well-known jailbreakers “CoolStar” and Google Project Zero’s Ian Beer.
However, there are also several errors mentioned on the site.
One appears when victims visit the site they are presented with a download button to download checkra1n. Here it states that the jailbreaking software will work on devices using the A5 through A15 chipsets, however, the real jailbreaking software only works up to the A11 chipset.
“Additionally, the website proposes the user can install the checkra1n jailbreak without a PC, when in reality, the checkm8 exploit requires the iOS device to be in DFU mode and is exploitable via the Apple USB cable,” the researchers wrote.
Once the download is completed a checkra1n icon appears on the display, but this is actually a link to a malicious site. From here the victim will receive not only a fake jailbreak experience, but a real download of malware will install redirects that will result in click fraud.
In addition, the attackers off a link to a game found in the Apple store called Pop! Slots, along with instructions to use the game for free. In reality Mercer and Rascagneres noted using the game likely just generated extra ad revenue for the criminals.
This particular attack scheme may only deliver click fraud malware, but the report said there is no reason an attacker cannot download something much more malicious such as implanting their own implant their own MDM enrolment.