A fake iOS jailbreak website is reportedly scamming users into downloading gaming apps to generate revenue for the attackers – but it has the capability to do more harm than that.
First spotted by Talos Security, the website is actually a prime example of how bad actors can leverage the news cycle and come up with creative ways to trick users into “click fraud.”
The fake website purports to be a page hosting a recently announced iOS jailbreak called “checkra1n,” which uses the underlying checkm8 flaw we reported on last month.
But unlike the actual checkra1n website, the fraudulent site doesn’t contain the jailbreak at all.
Instead, the fraudulent webpage downloads a malicious mobileconfig profile onto an iPhone to side-load an app and carry out click fraud (tricking users into clicking ads or performing other tasks to generate revenue).
But to the average user, it may look fairly convincing. The actual end goal of the app is to get users to download an iOS game, which the attackers say the user needs to play for seven days to complete the jailbreak. From there, the attackers can make money by way of in-app purchases or advertising.
According to Talos, the malicious campaign is actively targeting iPhone users across the globe — including in the U.S., U.K., France, Nigeria, Venezuela, Egypt, Italy, Georgia, Australia and Canada.
It’s worth noting that the campaign doesn’t currently appear to be harvesting data or performing malicious activities beyond click fraud. But the mobileconfig profile is still dangerous and could be used for other nefarious purposes.
How to Avoid Scams
The easiest way to avoid being taken advantage of by fake jailbreaks is to simply avoid jailbreaking your device. There are a number of reasons to avoid jailbreaks entirely, which we’ve previously covered.
But if you’re deadset on exploiting iOS with checkm8, there are a few things you can keep in mind to steer clear of malicious actors.
For one, don’t trust any website that suggests you can simply download the exploit via web browser. The checkm8 flaw requires putting an iOS device into DFU mode and connecting it to a computer.
Actually jailbreaking your device isn’t going to require downloading an app or profile onto your phone or playing a game for any amount of time.
It’s also recommended that you remove any mobile profiles from your device since, as we mentioned earlier, they can be used to spy on your activity or perform other malicious tasks.
Deleting Sketchy Profiles
- Open Settings.
- Head to General.
- Scroll to the bottom and look for a section called Profiles.
- If one appears on your device, just tap on the profile you’d like to delete and select Remove Profile.