iPhone: Anyone ever encountered one that's infected?

[britechguy]

Since there's no dedicated forum here for this, I thought I'd drop it in the Mac forum.

For the first time in my entire career, I had an iPhone 12 today that was essentially catastrophically infected. Tons of icons on multiple home pages darkened and having "Waiting" status shown. After an attempt at removing all of those by deleting the apps from the phone, and everything looking OK (I initially chalked this up to user error on the part of this client) after about 5 minutes or so there were at least 3 additional home pages that "appeared from nowhere" all of which were covered in darkened icons in "Waiting status."

I tried a full erase and restore from an iCloud backup, but the iCloud backup had the infection carried along with it, and the same behavior was present right after the restore.

Finally, I did a true nuke and pave, setting up the device as though it were new using the client's Apple account but not restoring a blessed thing from the existing cloud backup. Everything looked perfectly normal thereafter.

To say the least, the above description is time condensed. This was a 3 hour ordeal.

 

[phaZed]

Yes. Two this month - which is uncharacteristic, seeing as I had 1 cell phone infection all of the last year. One of the iPhones had symptoms very similar to what you describe.

 

[Sky-Knight]

I have, and honestly considering they are computers with update requirements, anti-malware defensive requirements, and all the other wonderful maintenance a computer requires...

I'm shocked this isn't more common.

 

[Porthos]

Wonder if they were installing apps from other than the Apple App Store?

 

[fincoder]

considering they are computers with

Yes computers but they're locked down to only run apps from the app store (unless rooted, rare for the general population).
That's why they almost never get viruses. Usually the only issue with phones is scam texts/emails.

 

[britechguy]

Wonder if they were installing apps from other than the Apple App Store?

In this case, I'd be willing to bet my bottom dollar the answer is, "No." This is a client who, while sweet as can be, is utterly tech illiterate. Since it is as @fincoder notes, "they're locked down to only run apps from the app store (unless rooted, rare for the general population)," the probability is "less than zero."

I have never encountered either an infected iPhone or Android-powered device, for that matter. Being over age 60, and the entire extended family's and friends' "tech guy" even before I hung out my shingle in 2008, I've been around the block many, many times.

 

[Porthos]

I have never encountered either an infected iPhone or Android-powered device, for that matter.

Usually, it is just browser garbage that gets them.

 

[phaZed]

Wonder if they were installing apps from other than the Apple App Store?

There's two Zero-Click vulnerabilities out right now that I know about. One is a crafted SMS message attack for iMessage and the other is a Image Buffer Overflow triggered when processing maliciously crafted images - which the iPhone does as the image is received/stored and scanned. Both of these grant the attacker full control.

The SMS attack is related to the image attack in that - you send an SMS message with a link to an iCloud photo - the phone will automatically follow the link without user interaction and preview the photo upon receiving the message, compromising the device.

CVE-2025-43200 "Paragon’s Graphite mercenary spyware" - Is available for Dark Web download, but it's a modified and customizable module, with Metasploit.

Apple fixed the vulnerability in iOS 18.3.1, released on February 10, though it kept the vulnerability under wraps until Wednesday, June 11.

Ya, not really. Being true to Apple's form when it comes to "security" - OK, technically they stopped the "Paragon Graphite" threat because they are simply searching for that particular code execution/Executable. Maybe they blacklisted the known IP's of Paragon. What they didn't do was fix the vulnerability in iMessage, nor did they fix the issue with the Kernel's image processing vulnerability. They didn't fix the issue with TrueType GX and variable font files, either.

Long and short of it, fire up Metasploit, use "your ip" - not paragon's, and run a base64 encoding or inject some junk code to change the CRC - now the iPhone can't see it. All of this takes two seconds in metasploit to spit out a "new" vulnerable file.

If Apple actually fixed the problem(s), this wouldn't work. Instead, they've resorted to simply finding the "one known version" of a malicious file, put it on a blacklist and called it fixed. Piss poor, IMO.

iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200) - Help Net Security

A zero-click attack leveraging a Messages vulnerability (CVE-2025-43200) has infected the iPhones of two European journalists with spyware.

www.helpnetsecurity.com

https://www.grc.com/sn/SN-1033-Notes.pdf

 

[Sky-Knight]

Yes computers but they're locked down to only run apps from the app store (unless rooted, rare for the general population).
That's why they almost never get viruses. Usually the only issue with phones is scam texts/emails.

I'm sorry sir, but that's simply not correct. I'll tag along from the above.

The sandbox is broken ALL THE TIME. Is it less frequent than Windows? Sure! But... Here's an example: https://www.cvedetails.com/cve/CVE-2025-43200/

User receives a text with an image in it, and BOOM RCE.

The bad guys get to jailbreak, the good guys do not.

The problem here is, because the threat actors have root, when the user doesn't often phones are taken with root kits the user simply never notices. The few that cross our desks are the ones that get visibly infected, which is a tiny slice of the compromised devices out there.

The walled OS helps.
The walled stores help too.

These things do reduce risk, but they do not eliminate it. And now that we have more phones than computers out there, the threat actors and hostile investment is focusing on mobile devices. You'll see them crack more often than not, and more frequently than not going forward because no software is perfect, and this will continue to remain so.

I do however continue to be amazed at how infrequently these things happen. The odds are not in our favor though.

 

[fincoder]

Thanks to @phaZed and @Sky-Knight for those explanations.

 

[britechguy]

I have been shocked, to be honest, that things in "the mobile world" have not had a phase much like the early days of the PC where infections via a multitude of vectors were dirt common.

Baseline levels of defense are, obviously, better as we've learned from the past. But when it comes to nefarious actors and high-potential-value compromises, they never sleep. Given how much money is now flowing through mobile devices it's virtually certain that there will continue to be compromises, and perhaps becoming more common. It really depends on how far ahead of the nefarious actors the security folks can stay, if they can stay ahead of them.

I agree with @Sky-Knight that it's kinda amazing how infrequent infections have been on mobile platforms relative to their ubiquity and what people are doing on those platforms. Lots of juicy targets, I'd say these days more than on the PC platform if we're talking about the average man/woman on the street.

 

[Markverhyden]

Wonder if they were installing apps from other than the Apple App Store?

That's, for the average user, visually impossible. What is very very possible is clicking on a hyperlink that goes to a site that probes and then funnels a custom package for that device. And if they have auto update turned off it's that much easier. @britechguy did you happen to grab some screen shots?