How a fake iPhone wreaked havoc with network security

As part of the development phase of DeviceAssure, a number of counterfeit devices were sourced from various e-retail websites. One of the devices sourced purported to be and iPhone 7, which turned out not only to be counterfeit, but to be an attack vector in its own right. The device attempted to download and execute malicious code.

Download Digital Brochure

The device

The device cost less than $100 and was shipped free to our offices in Dublin. It came packed in a convincing Apple branded box, with an IMEI sticker on the box. The packaging and branding were indistinguishable from the genuine article.

Side by side comparison of counterfeit iPhone X

Build quality was excellent throughout with well machined bevels and casing, volume rockers and buttons in the correct positions. On unboxing, there was no visible indication that this was a fake device


Booting the device revealed a very well emulated Apple set up experience, which for someone unfamiliar with the process, betrayed little sign that the device was not authentic.
A look in the "Settings" app however revealed that the device was running not the latest version of iOS, but Android. The entire UX is in fact an reskinned Android made to look like iOS. Many of the stock apps therefore do not work or are just camouflaging the nearest Android versions.

Results of DeviceAssure test

The DeviceAssure SDK was run via our sample Android app. DeviceAssure tests revealed the extent of the counterfeiting:

  • Counterfeit iPhone 7 running a heavily masked version Android 4.4
  • Invalid TAC/IMEI
  • Non standard CPU and GPU
  • Non standard UA
  • Non standard make/model
  • Incorrect screen resolution

Attack vector

Subsequent to the device being tested with DeviceAssure, more nefarious behaviour was tracked on a controlled WiFi network. A LAN malware infection attempt was picked up with multiple connection attempts made to a series of hosts:

  • (to path /logcollect/log-information)

The device was also trying to download the following APKs

  • BakToolsV9ALL.apk
  • CameraToolsV13.apk


The device attempted to contact a Cryptowall ransomware botnet.

The device appears to be cycling MAC address despite running Android 4.4. It tries direct downloads, then via proxy.