iPhones in Australia infected by a worm

(12/11/2009)

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker with the name of "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message: ikee is never going to give you up

If you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

SophosLabs have analysed the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the "D" version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.

Accessing someone else's computing device and changing their data without permission is an offence in many countries - and just as with graffiti there is a cost involved in cleaning-up affected iPhones.

Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.

We are likely see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.

Jamie de Guerre, CTO, Cloudmark commented: "Attacks against mobile phones are on the rise. As both business and non-business users continue the rapid adoption of smartphones and downloadable applications or use the Internet from their phones, the risk of these attacks will also continue to grow."

"However, this specific attack is not that interesting. It only compromises phones that users have hacked in a way that breaks the terms of Apple's end user licensing agreement - specifically the act of "jailbreaking" their iPhone. Further, it does not capitalise on a software vulnerability, rather just on user negligence to change the default password of the remote access software made available after jailbreaking their phone. The fact that there have not been more serious vulnerabilities compromising the iPhone is a testament to Apple and the mobile operators that provide service."

Related topics:  Mobile and Wireless Security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources