Surprised? A modus designed to phish for your Apple ID password from you.
A lot of people still claims that the iOS is Malware proof and/or is attack proof that is what majority of the people know since most users just want the simplicity of using their phones from their pockets. Advertisements and the media are more focused on its key features and pros, not on the in-depth cons because the majority of the people would not bother asking them at first glance, plus nobody from the inside would want to expose them which will surely lead them to bad publicity.
Malware in Disguise
A Phishing attack is one of the easiest ways to gain access to loads of information, and of course, earn money from the information too. Aside from visiting phishing websites through phish emails and phishing redirection sites, did you know that phishing is also possible directly through an app downloaded from Appstore?
Yes, it is!
How? Recently thanks to a mobile app developer named Felix Krause who exposed that a certain app downloaded can phish for information too while running in the background. It is not a keylogging app to be less suspicious, however, it steals information through a pop-up dialogue box! It does by imitating the dialogue box of the Apple app store asking for your apple id password.
Looks legitimate, but there is at least one way to identify to check whether it is the attack on the vulnerability or not. Assuming you are doing something on your phone and the prompt pops up, try pressing the home button. As expected it will exit the app to the background to go back to the home screen. If the dialogue box pop up closed along the app, then that means to say the pop up is a fake and the source of the running process is another app invisibly running in the background. On the other hand, the legitimate system pop up will not disappear despite pressing the home button.
For casual users of an iOS phone your best Anti-Phishing methods are:
- Be vigilant and wonder why your device keeps asking for your credentials while you are in the middle of something.
- Pressing the home button to check the legitimacy of the pop-up dialogue box.
- Krauss recommended adding the icon of every app on the dialogue box to easily distinguish pop up of apps from the system dialogue box. Every user should recommend this to Apple themselves so that they can integrate the feature into the next iOS upgrade.
- In case you fell for the phishing attack and it was too late for you to realize it, change your password ASAP and then check your transaction history for any anomaly.
Apple Inc. should be interested in considering phishing takedown efforts to effectively mitigate this vulnerability and upcoming future vulnerabilities which will be used for phishing. A good Phishing Solution method in mind would greatly benefit their company image to how they could take care of security and their customers in a way of being responsible as the brand owner and developer of their Operating System. Having a Phishing Intelligence team both internal and external would greatly bolster their defense and offense against Cybercrime targeting their brand and customers.
Assuming that they always patch vulnerabilities on new updates, as usual, it would not hurt to crackdown and hunt all the fake apps used for phishing on both jailbroken and non-jailbroken sources.