How secure is your iPhone?: ESET analyzes, explains, and makes recommendations

Apple’s control over its ecosystem of devices and apps has historically been strict. Additionally, several built-in security features, such as strong encryption and containerization, help prevent data leakage and limit the spread of malware. However, in addition to all this, ESET, a leading company in proactive threat detection, warns in this extensive analysis that risks are not completely eliminated, as everyday scams and other threats also bombard iOS users… and while some are more common than others, they all demand attention.

“The fact that iOS apps typically originate from Apple’s official App Store and must pass strict testing for approval has avoided security and privacy headaches over the years. However, the recent EU antitrust law, known as the Digital Markets Act (DMA), seeks to give iOS users the option of using third-party app marketplaces. This will present new challenges for Apple in protecting iOS users from potential harm and for those who use its products, as they will need to be more aware of threats. This change in the rules of the game will undoubtedly be exploited by cybercrime,” comments Camilo Gutiérrez Amaya, Head of the ESET Latin America IT Security Lab.

ESET has also studied and offers its opinion on other, possibly more immediate, threats targeting iOS users worldwide:

Jailbroken devices: Deliberately jailbreaking a device to allow what Apple calls “unauthorized modifications” could violate the Software License Agreement and disable some built-in security features, such as Secure Boot and Data Execution Prevention. The device will no longer receive automatic updates. And being able to download apps from outside the App Store exposes you to malicious and/or buggy software.

Malicious apps: While Apple does a good job of vetting apps, it isn’t 100 % accurate. Malicious apps recently detected on the App Store include: A fake version of the LastPass password manager designed to harvest credentials; a screenshot-reading malware dubbed “SparkCat,” disguised as artificial intelligence and food delivery apps; as well as a fake crypto wallet app called “Rabby Wallet & Crypto Solution.”

Downloading apps from websites: As detailed in the latest ESET Threat Report, progressive web apps (PWAs) allow direct installation without requiring users to grant explicit permissions, meaning downloads could go unnoticed. ESET discovered this technique used to disguise banking malware as legitimate mobile banking apps.

Phishing/Social Engineering: Phishing attacks via email, text (or iMessage), and even voice are common. They impersonate legitimate brands and trick users into providing their credentials, clicking on malicious links, or opening attachments to trigger malware downloads. Apple IDs are among the most valuable logins, as they can provide access to all data stored in an iCloud account and/or allow attackers to make iTunes/App Store purchases. ESET advises caution with:

• Fake pop-ups claiming the device has a security issue
• Fraudulent phone calls and FaceTime calls impersonating Apple Support or partner organizations
• Fake promotions offering freebies and sweepstakes
• Calendar invitation spam with phishing links

As an example, in a highly sophisticated campaign, threat actors and attack planners used social engineering techniques to trick users into downloading a mobile device management (MDM) profile that would allow them to control the victims’ devices. They then deployed the GoldPickaxe malware, designed to collect facial biometric data and use it to bypass banking logins.

Risks of public Wi-Fi networks: A public Wi-Fi hotspot can be a fake access point created by threat actors to monitor web traffic and steal sensitive information, such as banking passwords. Even if the access point is legitimate, many don’t encrypt data in transit, meaning hackers with the right tools could see the websites you visit and the credentials you enter. That’s why ESET recommends using a VPN, which creates an encrypted tunnel between your device and the internet.

Vulnerabilities: While Apple puts a lot of time and effort into ensuring its code is free of vulnerabilities, sometimes flaws occur in production. In these cases, hackers can take advantage if users haven’t updated their device, for example by sending malicious links in messages that trigger an exploit if clicked.

• Last year, Apple was forced to patch a vulnerability that could allow attackers to steal information from a locked device using Siri voice commands.
• Sometimes, threat actors and commercial companies themselves research new (zero-day) vulnerabilities to exploit. Although rare and highly targeted, attacks that exploit these vulnerabilities are often used to covertly install spyware to spy on victims’ devices.

Prevention and protection are necessary and wise

While malware lurks on iOS devices, it is also possible to minimize exposure to threats. ESET shares the following key tactics:

• Keep iOS and all apps updated. This will reduce the window of opportunity for threat actors to exploit any vulnerabilities in older versions to achieve their goals.
• Always use strong, unique passwords for all accounts, perhaps using the ESET Password Manager for iOS, and enable multi-factor authentication if offered. This is easy on iPhones, as it will require a simple Face ID scan. This will ensure that even if attackers obtain the passwords, they won’t be able to access the apps without scanning the user’s face.
• Enable Face ID or Touch ID to access the device, backed up with a strong password. This will keep the iPhone secure in case of loss or theft.
• Do not jailbreak the device, for the reasons mentioned above. Your iPhone would be less secure.
• Be wary of phishing. This means treating unsolicited calls, texts, emails, and social media messages with extreme caution. Do not click on links or open attachments. If you really need to do so, verify separately with the sender that the message is legitimate (i.e., not responding to the information contained in the message). Look for signs of social engineering, such as grammatical and spelling errors, an urgency to act, gifts and offers that are too good to be true, or domains (from the sender) that don’t match the supposed sender.
• Avoid public Wi-Fi networks. If you must use them, do so with a VPN. At the very least, don’t log into any valuable accounts or enter sensitive information on public Wi-Fi.
• Try to limit any downloads to the App Store to minimize the risk of downloading something malicious or risky.
• If you think you might be a target of spyware (often used against journalists, activists, and dissidents), activate blocking mode.
• Pay attention to the telltale signs of a malware infection, which could include slow performance, unwanted ad pop-ups, an overheating device, new apps appearing on the home screen, or increased data usage.

“While the Apple iPhone remains one of the most secure devices available, this doesn’t mean it’s free from threats. Staying alert, knowing the potential risks, and taking the necessary protective measures help keep your information and devices safe,” concludes Gutiérrez Amaya of ESET Latin America.

For more preventive information on cybersecurity, you can visit the ESET website: https://www.eset.com/ve/ and its social media channels @eset_ve. Also visit Instagram (@esetla) and Facebook (ESET). Or visit https://www.eset.com/latam.

With information and reference image provided by ESET and Comstat Rowland.

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on X/Twitter and Instagram