As part of the development phase of DeviceAssure, a number of counterfeit devices were sourced from various e-retail websites. One of the devices sourced purported to be and iPhone 7, which turned out not only to be counterfeit, but to be an attack vector in its own right. The device attempted to download and execute malicious code.Download Digital Brochure
The device cost less than $100 and was shipped free to our offices in Dublin. It came packed in a convincing Apple branded box, with an IMEI sticker on the box. The packaging and branding were indistinguishable from the genuine article.
Build quality was excellent throughout with well machined bevels and casing, volume rockers and buttons in the correct positions. On unboxing, there was no visible indication that this was a fake device
Booting the device revealed a very well emulated Apple set up experience, which for someone unfamiliar
with the process, betrayed little sign that the device was not authentic.
A look in the "Settings" app however revealed that the device was running not the latest version of iOS, but Android. The entire UX is in fact an reskinned Android made to look like iOS. Many of the stock apps therefore do not work or are just camouflaging the nearest Android versions.
The DeviceAssure SDK was run via our sample Android app. DeviceAssure tests revealed the extent of the counterfeiting:
Subsequent to the device being tested with DeviceAssure, more nefarious behaviour was tracked on a controlled WiFi network. A LAN malware infection attempt was picked up with multiple connection attempts made to a series of hosts:
The device was also trying to download the following APKs
The device attempted to contact a Cryptowall ransomware botnet.
The device appears to be cycling MAC address despite running Android 4.4. It tries direct downloads, then via proxy.