When compared to Android, iOS offers cybercriminals a significantly smaller success rate mainly due to the platform's "walled garden" approach. However, criminals are now targeting iOS more than ever before as the platform sees a growing number of users, especially in business and government sector.
While not entirely an attack, the latest campaign appears to have started as a prank and could render an iOS device completely unresponsive. First spotted in late 2016, an iOS jailbreaker named iXintpwn started posting a malicious profile that researchers dubbed as iXintpwn/YJSNPI. Also known as Beast Senpai, the malware was distributed by a Japanese youngster. The iOS config profile malware would cause an overflow of icons all over the target device and eventually turn it unresponsive.
Abusing iOS config profiles to flood iPhone home screen with uninstallable icons
The security experts at Trend Micro have revealed that the attack chain of YJSNPI is notable as attackers are weaponizing unsigned iOS configuration profiles. Configuration profiles enable developers to streamline the settings of devices, with enterprises employing these profiles to manage their apps and corporate devices.
A configuration profile can also customize the settings of a device’s restrictions, Wi-Fi, Virtual Private Network (VPN), Lightweight Directory Access Protocol (LDAP) directory, Calendaring Extensions to WebDAV (CalDAV), web clips, credentials, and keys.
A malicious profile, however, can use this iOS feature to manipulate the settings, like diverting the device's traffic. But iXintpwn/YJSNPI simply uses an unsigned profile to set its value to "cannot be deleted," making users unable to uninstall images.
The hacker uses this particular flaw to superimpose icons on the home screen. When clicked, these icons only show a bigger resolution of the same image. Researchers noted that it is "during this overflow of icons that the device becomes unresponsive".
"Clicking it results in an overflow of YJSNPI icon-laden screens that crashes SpringBoard - the application that manages the home screen and controls how apps are displayed and launched."
The YJSNPI prankware (is that a term?) proliferates through the websites that host the malicious profile, mainly via Safari. "On iOS devices, the latest Safari accepts this server response and will automatically download the profile," the researchers wrote.
As for the mitigation, the TM security team suggests using Apple Configurator 2 to find and remove the malicious profiles. For more technical details on this prankware, head over to Trend Micro.
