Click to Skip Ad
Closing in...

Scammers are using Apple’s own tools to install malware on your iPhone

Updated Mar 19th, 2022 2:31AM EDT
iPhone 13 Pro Display
Image: Christian de Looper for BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Malicious apps make their way on to the Google Play store way too often. We have covered these incidents repeatedly in recent years, and the scammers always appear to be one step ahead of Google. Though Apple is better at keeping malicious apps at bay, iPhone malware is still a real problem. In fact, according to a new report from security firm Sophos, hackers have found two sneaky new ways to get malware on to your iPhone.

New iPhone malware distribution schemes

Last year, Sophos started tracking an organized crime campaign which it named CryptoRom. The scam uses social engineering and fraudulent apps to steal money from its unsuspecting victims. According to Sophos, the CryptoRom campaign continues to spread. Scammers are even starting to find ways to use Apple’s own tools against it.

Previously, Sophos explained that scammers were exploiting Apple’s “super signature” app distribution method to spread malicious apps on iOS devices. The team has now discovered that CryptoRom authors are also abusing Apple’s TestFlight service.

Developers usually use TestFlight to disseminate early build of their new apps that still need testing before they launch on the App Store. TestFlight supports small, internal tests of up to 100 users and public beta tests of up to 10,000 users. As Sophos notes, developers distribute apps by email for smaller tests, which don’t require App Store security reviews.

As Jagadeesh Chandraiah, a senior threat researcher at Sophos, explains:

[TestFlight] is cheaper to use than other schemes because all you need is an IPA file with a compiled app. The distribution is handled by someone else, and when (or if) the malware gets noticed and flagged, the malware developer can just move on to the next service and start again. [TestFlight] is preferred by malicious app developers in some instances over Super Signature or Enterprise Signature as it is bit cheaper and looks more legitimate when distributed with the [TestFlight app].

CryptoRom apps for iOS and Android were distributed through a fraudulent site. All of the iOS versions of the apps used TestFlight to install on victims’ devices.

Scammers are abusing Web Clips as well

Unfortunately, the scams don’t end there. Threat actors are also trying to lure victims in with Web Clips. As Apple explains on its site, “Web Clips provide fast access to favorite webpages or links.” Here’s a sample of a malicious Web Clip from Sophos:

RobinHand Web Clip scam on iOS.
RobinHand Web Clip scam on iOS. Image source: Sophos

“In addition to App store pages, all these fake pages also had linked websites with similar templates to convince users—different brands and icons, but similar web content and structure,” Chandraiah writes. “This is probably done to move on from one brand to another when they get blocked or found out. This shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.”

This is yet more proof that those ridiculous ads you see all over the internet are more than just an eyesore. As always, be extremely careful when downloading an app from any source other than the App Store. Scammers are always finding new ways to trick us.

More iPhone coverage: For more iPhone news, visit our iPhone 13 guide.

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.