The device

The device cost less than $100 and was shipped free to our offices in Dublin. It came packed in a convincing Apple branded box, with an IMEI sticker on the box. The packaging and branding were indistinguishable from the genuine article.

Hardware

Build quality was excellent throughout with well machined bevels and casing, volume rockers and buttons in the correct positions. On unboxing, there was no visible indication that this was a fake device

Software

Booting the device revealed a very well emulated Apple set up experience, which for someone unfamiliar with the process, betrayed little sign that the device was not authentic.
A look in the "Settings" app however revealed that the device was running not the latest version of iOS, but Android. The entire UX is in fact an reskinned Android made to look like iOS. Many of the stock apps therefore do not work or are just camouflaging the nearest Android versions.

Results of DeviceAssure test

The DeviceAssure SDK was run via our sample Android app. DeviceAssure tests revealed the extent of the counterfeiting:

• Counterfeit iPhone 7 running a heavily masked version Android 4.4
• Invalid TAC/IMEI
• Non standard CPU and GPU
• Non standard UA
• Non standard make/model
• Incorrect screen resolution

Attack vector

Subsequent to the device being tested with DeviceAssure, more nefarious behaviour was tracked on a controlled WiFi network. A LAN malware infection attempt was picked up with multiple connection attempts made to a series of hosts:

• play.xhxt2016.com (to path /logcollect/log-information)
• localetools.storage.yunvm.com
• ali.files.cdn.112gs.com
• cams04.xyz
• be.mobsweet.com
• c.securelhs.com
• redirect.ero-advertising.com
• s.nativeload.com

The device was also trying to download the following APKs

• BakToolsV9ALL.apk
• CameraToolsV13.apk

Malware

The device attempted to contact a Cryptowall ransomware botnet.

The device appears to be cycling MAC address despite running Android 4.4. It tries direct downloads, then via proxy.