iPhone browser ransom locker blocked in new iOS 10.3 release

  • Liam Tung (CSO Online)
  • 29 March, 2017 09:12

Apple’s new iOS 10.3 release brings an important update that prevents scammers from conning iPhone users into paying an extortion fee.

The update addresses a scareware campaign that uses malicious JavaScript to convince iPhone owners that it’s worth giving an extortionist an iTunes gift card.

According to mobile security firm Lookout, iOS 10.2 allowed scammers to abuse the Safari browser’s pop-up dialog box and prevent the user from accessing the web. The attackers displayed threatening messages in an attempt to convince iPhone owners into paying the scammers with an iTunes Gift Card to restore access.

Unlike nastier types of ransomware that encrypt an infected machine’s files, the malicious JavaScript code merely prevents a person from using Safari. Hence, Lookout classifies this malware as scareware rather than ransomware, even though a ransom is the main aim.

iPhone owners could have side-stepped the apparent browser-lock by clearing the browser’s cache, according to the security firm. They can do this by going to the Privacy & Security page in Settings and selecting Clear History and Website Data. However, the company recommends iPhone owners update to iOS 10.3, which resolves the bug.

Apple doesn’t reveal much about the bug but notes in the iOS 10.3 release that Safari’s “cache state is not properly kept in sync between Safari and SafariViewController when a user clears Safari cache”.

Safari view controller allows iOS developers to create apps that use native Safari features like Reader and AutoFill.

“An issue existed in clearing Safari cache information from SafariViewController. This issue was addressed by improving cache state handling,” says Apple in its iOS 10.3 release notes.

Lookout says the iOS 10.3 update prevents the attack by restricting Safari website pop-up dialogs to each tab rather than allowing them to span all tabs in the browser, which allowed this JavaScript-based attack to lockup the browser.

“As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app,” said Lookout.

It also notes that the attack is launched from a website instead of requiring a user to install a malicious app. The attackers registered domains such as police-pay[.]com, which were designed to scare targets that were looking for free pornography and music.

The attacks aren’t as menacing as Windows-focussed file-encrypting ransomware, but it is a reminder that attackers are exploring iOS as a source of revenue -- even if these efforts haven't been particularly fruitful yet.

It’s also worth noting that before today’s menace file-encrypting ransomware, there was a surge in police-themed ransomware that merely locked a Windows desktop browser.

The iOS patch also follows a recent attempt to extort Apple itself on the basis of claims by a hacking group called Turkish Crime Family that they had 250 million credentials for iCloud accounts. The group demanded Apple pay $700,000 in cash or $1 million in iTunes vouchers by April 7 to prevent them wiping the accounts. Apple says the attackers acquired the credentials from other firms that had been compromised. Other scammers posing as Apple Support are also trying to capitalize on reports of a supposed breach of Apple.

Lookout says the Safari scareware attackers had developed versions of the attack for iOS 8 and have continued their work to iOS 10.2. If a user opened the attack site, they would have been confronted with an “endless loop of pop-ups” that prevents use of Safari until the browser’s cache is reset.

“iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one,” Lookout says.