Many people believe that the iOS operating system is immune to mobile threats and malware. They rely on the low volume of attacks on iOS in comparison to Android as their main piece of evidence. When confronted with sophisticated threats such as Trident exploits or the Pegasus malware, they will usually mention that these are only state-sponsored malware, which rearely harm the average user. That said, recent news refutes these claims on several key points.
Someone stole an Apple from the garden
Apple’s App Store has a great reputation, especially when compared to Android’s Google Play, which in recent years has been plagued mobile malware. Nevertheless, malicious apps manage to infiltrate the App Store, and target iOS users for profit. The latest example is a ‘Heart Rate’ app, which spread through the App Store, and attempted to scam users out of $89.99 by using a social engineering ploy. Instead of measuring your heart rate via the user’s finger on the Touch ID button as it claims, the app highjacked the fingerprint to authorize a monetary transaction. Similar ruses are common on Android, however, iOS users are more susceptible to them since they are lulled by a false sense of security and pay less attention to what’s happening with their device.
Sometimes, security does not depend on your OS
Another recent attack targeted US-based iOS users with a malvertising campaign that redirected users to phony webpages created by the attackers to pilfer the users’ personal and financial data. This attack, which is hardly a solitary example, demonstrates how mobile security cannot rely solely on the OS, or even its ecosystem. For example, network attacks can and do target iOS devices just as easily as Android devices.
Cyber criminals learn from the best
While users, and even businesses, may disregard sophisticated threats like Trident/ Pegasus, it is important to understand that they are often used as inspiration and roadmaps for garden-variety cybercriminals. As discovered only recently, sophisticated iOS malware has proliferated at an alarming rate. The Vault 7 leak revealed that some of the code used by the CIA to hack mobile devices was literally borrowed from ordinary malware. This is a two-way street, as many threat actors learn to develop malware from the most sophisticated teams. The key takeaway for users is that all cyber threats relate to each other, no matter where they originate, and should be taken into consideration when protecting mobile devices.
Mobile devices, including iOS devices, are fully operational computers that consumers and business people rely upon. As such, they require the same level of protection one would use for a computer or organizational network. As we have seen recently, no device, no operating system, and no ecosystem is immune from cyberattacks. Users and organizations of all sizes cannot depend on the built-in security features alone of any mobile device, and ought to implement advanced security measures capable of detecting and blocking known and unknown threats originating from all possible attack vectors.