In late September of 2019, a bootrom vulnerability affecting devices that have chips spanning A5 through A11 was detected and reported by a researcher who uses the Twitter handle, axi0mX.¹ This affects hardware models of the phone from the iPhone 4S through iPhone X. iPhone XS and iPhone 11 models have upgraded to the A12 chip and are not vulnerable to checkm8. The find was likely prompted by Apple patching a use-after-free vulnerability in the iBoot USB code, which was communicated during the iOS 12 beta release in the summer of 2018.²

This is a tethered exploit, which means that physical access to the device is required, but if an attacker gains access, they can then evoke unsigned code to run on a device to include malware and other spyware like applications. In addition to requiring physical access to the device, this particular exploit is not persistent, meaning that it will not survive a device reboot.

Shortly after the detection of the checkm8 vulnerability in November of 2019, the Checkra1n jailbreak was released. The Checkra1n jailbreak installs Cydia and Checkra1n applications to the Home screen and also, can be detected by the presence of the Checkra1n logo upon booting.

Additional Examples:

AceDeceiver - 2016 - iOS

In March 2016, Palo Alto discovered a new family of malware for iOS able to successfully infect non-jailbroken devices, which they named “AceDeceiver.^”3 AceDeceiver is different from previously identified iOS malware because it attacks Apple’s Digital Rights Management (DRM) system rather than using exploited enterprise certificates like previously discovered iOS malware did.

AceDeceiver installs itself without any enterprise certificate by exploiting design flaws in Apple’s DRM mechanism. It has been removed from the App Store but can still spread due to the unique attack vector. It uses FairPlay, part of Apple's DRM system, to install malicious apps on iOS devices regardless of whether they are jailbroken using a “FairPlay Man-in-the-Middle (MITM)” attack. This type of attack has been used since at least 2013 to share pirated iOS applications. This method could be adopted to spread new variants of iOS-based malware in the future.

While iOS-based malware only makes up a very small percentage of mobile malware, examiners need to be aware of the potential that it might exist on a device involved in their investigation. Mobile sandboxes can be useful in simple analysis of iOS-based malware. An example analysis report related to YiSpecter malware can be found at the link below.⁴

References:

[1] https://for585.com/iosbootromvulnerability

[2] https://for585.com/iosibootpatch

[3] https://for585.com/q0n7g (Palo Alto’s write-up of AceDeceiver)

[4] https://for585.com/aqtkp (YiSpecter IPA analysis example from Palo Alto)