We regularly hear of threats to Android devices, of scams and malware and so on, but can the same problems hit iPhone users, too?
There’s no shortage of ways to use the internet, but whatever you choose, it seems as though the risk is always there.
If you use a computer, you’re probably using either Windows or Mac, and if you use a phone, it’s likely a choice of either Android or iOS, and for each of these, there’s a likelihood you’re going to see more security issues on one operating system per platform than the other.
In the world of computers, it seems like there are more attacks happening on Windows, likely because there are a lot of Windows users out there, giving cybercriminals more chances to land that convincing blow and get something lucrative for their time. Security issues exist on Mac, but Windows tends to get the bulk of them, as has been the case for decades.
It’s a similar situation in phones, where Android gets the bulk of the malware and dodgy pieces of software, with less talked about for iPhone. For instance, if you got one of those nasty little delivery scam messages earlier this year or even a fake voicemail message telling you there was something waiting in your inbox, the payload was for an Android phone, with Flubot lurking under the hood. That piece of malware wasn’t made for iPhone, so folks with one were a little safer than Android owners in this case.
But it has raised a regular question for Pickr readers, and one worthy of an answer: is the iPhone at risk of scams and malware?
Anything connected to the net is at risk
“The short answer is yes. Any device connected to the internet is vulnerable, and Apple is certainly no exception, despite their ability to protect users against certain areas where threat actors are more prevalent,” said Aaron Bugal, Global Solutions engineers at Sophos in the Asia Pacific region.
Yes, any device can see attacks and scams and malware and such, and an iPhone and iPad aren’t a huge exception here, except in regards to how common the occurrences are.
Apple tends to police its systems more aggressively, and doesn’t allow external app marketplaces on the iPhone, affording it some level of protection. Granted, if you only installed apps on Android from the Google Play Store, you’d have more protection, but Android malware attacks are often about convincing you to install an app outside of it, citing urgency, one of the common tricks of the scam trade and how you can often recognise a scam.
“Apple has long done a very good job of promoting the iPhone as ‘unhackable’ and safe from viruses, malware, and bad actors their competitors are prone to,” said Bugal.
“One reason they can claim this is the way Apple controls apps,” he said.
“Apple does not permit third party app stores, and the iOS App Store regularly screens applications, revoking developer accounts of fraudulent and malicious apps.”
You can typically trust what comes from the App Store
As a result, you can typically trust what goes on the App Store to not have any dodgy malware things going on in the background.
However, that doesn’t mean every app is completely safe from some level of scamming, and you’ll still want to read the terms and conditions of an in-app purchase, particularly how much those little costs could end up costing you.
Fleeceware is a thing on every platform, iPhone included
“Our mobile researchers at Avast have repeatedly discovered ‘fleeceware’ apps on the Apple App Store, which they reported to Apple,” said Stephen Kho, Cyber Security Expert at Avast.
“Fleeceware apps overcharge users for services, that otherwise are available for free or for a very low price, and often the apps don’t even function properly,” he said, noting that “one of the apps, for example, offered a short free trial followed by a $66 per week subscription, potentially costing the victim $3,432 per year unless cancelled”.
Fleeceware is named because of what it is: a type of software that fleeces you out of money all the while typically doing very little at all. It can even charge you in the background after being uninstalled, with you needing only to agree to the charge cycle to an App Store account and subscription, and then needing to cancel it in your settings and uninstall the app.
Clearly, we’ll think of the latter, but not necessarily the former, giving Fleeceware creators an injection of money.
“Common fleeceware apps include image editors, horoscope/fortune tellers, QR code/barcode scanners, and face filter apps,” said Bugal.
“Once the ‘free’ app has been downloaded, a ‘free trial’ notification will appear upon launching the app for the first time, asking for credit card details to access the app. Once the free trial ends, these apps will charge steep fees to continue using them,” he said.
“They rely on users not reading the fine print or signing up for the free trial and forgetting to cancel before it ends, often charging up to $30 or even $50 per week. Given the nature of the apps, many people use them once or twice then forget they exist, which is exactly what the app developers are banking on.”
Fleeceware is therefore less like the attack of malware and more like a scam. In short, it’s an app scam, conning you out of money while offering you nothing, which sounds like the very definition of a scam, but with an app attached.
However it’s not the only way an iPhone can see attacks.
There are other ways an iPhone can succumb to scams and attacks
Vulnerabilities are one way, because as researchers find flaws and issues that can be exploited, scammers and criminals will typically do what they can to widen the problem and attack.
Another approach iPhone users might have to deal with is called “remote access phishing”, convincing users to install a management profile on a phone to allow an external source to remotely gain access and make a mess of things.
Think of remote access scams a little like those scams for Microsoft calling you. In the Microsoft calling scams, a scammer on the other end of the phone convinces you to go to a website, trust a small app, and that app burrows into a Windows computer to provide remote access to the scammer, thereby allowing them to prove your computer isn’t behaving properly, even if they’re the ones that led you there.
It’s been found in at least one nasty piece of software, affecting the phones of some journalists around the world.
“Pegasus is a remote access tool with spyware capabilities created for governments to use it in the fight against terrorists and criminals, however it is a dangerous tool that can be misused by oppressive regimes and cybercriminals to spy on unwitting individuals. The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user’s inputs,” said Kho.
Avast’s Kho noted that infected devices will typically behave differently from a regular device, including apps crashing, pop-ups appearing in the browser, and the battery draining.
It’s worth noting, however, that apps crashing and battery drain don’t always mean you have a dodgy app on your device, because it could be a poorly made app, an unoptimised app, or even just a phone with a fading battery. These are all normal parts of phone ownership in today’s world. However, if you have an infected, your phone experience may end up being more erratic and problematic than most.
“You will notice if your iPhone is infected with malware as your phone will most likely behave differently than usual, making it easy to tell if your phone has an infection,” said Kho.
“Scan your iPhone for malware by looking out for key symptoms for example, apps crashing unexpectedly, unfamiliar apps on your phone, pop-ups begin appearing in Safari, your battery is draining quickly or your data usage is higher than usual. Also always check your bank account and check you are not getting unexplained charges as this could indicate that a malware on your iPhone has hijacked your account or financial information.”
Keep your iPhone updated and stay aware
It’s also important to keep an iPhone up-to-date with regular updates and security patches, much like it is on any device. While operating system updates bring other features, the security updates are very, very important, and always worth being there, protecting you from some of the scammer and cybercriminals arsenal.
Education, however, is also incredibly important, and being aware of what’s out there and what you shouldn’t necessarily click.
“Every device with access to the internet is a potential target for cybercriminals, and the iPhone is no exception,” Sophos’ Aaron Bugal told Pickr.
“Regardless of which phone you use, always stay vigilant and aware of potential scams,’ he said.
“Don’t click on links you don’t trust, check your subscriptions regularly, and think with your head, not your heart when speaking to strangers online. As always, if something sounds too good to be true, it probably is.”