Crypto-mining malware attacks on iPhones intensify

Read time 5min 20sec
There was a four-fold increase in attacks against iPhones and devices using Safari during the last two weeks of September, says Check Point.
There was a four-fold increase in attacks against iPhones and devices using Safari during the last two weeks of September, says Check Point.

Apple iPhones are under attack from crypto-mining malware.

This is according to Israeli-based cyber security firm Check Point Software Technologies in its Global Threat Index for September 2018, which reveals a near-400% increase in crypto-mining malware attacks on Apple iPhones.

Check Point says these attacks use the Coinhive mining malware, which continues to occupy the top position in the index that it has held since December 2017.

This as the theft of crypto-currencies through hacking of exchanges and trading platforms soared to $927 million in the first nine months of the year, up nearly 250% from the level seen in 2017, according to a report released last week by US-based cyber security firm CipherTrace.

Check Point says Coinhive now impacts 19% of organisations worldwide. Its researchers also observed a significant increase in Coinhive attacks against PCs and devices using the Safari browser, which is the primary browser used by Apple devices.

Malicious threat

Crypto-currency mining service Coinhive has been identified by several cyber security firms as the top malicious threat to Web users, due to the tendency for Coinhive's computer code to be used on hacked Web sites to steal the processing power of its visitors' devices.

It relies on a small chunk of computer code designed to be installed on Web sites. The code uses some or all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine bits of the Monero crypto-currency.

"Crypto-mining continues to be the dominant threat facing organisations globally," says Rick Rogers, regional director for Africa at Check Point.

"What is most interesting is the four-fold increase in attacks against iPhones, and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development."

According to market analyst firm IDC, in Q2 2018, Apple was the third biggest smartphone vendor with a 12.1% market share, behind Samsung (20.9%) and Huawei (15.8%).

"In the meantime, attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organisation's attack surface, so it's critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defences," says Rogers.

Jon Tullett, research manager for IT services, Sub-Saharan Africa at IDC, says iPhones are vulnerable to attack, as is any device and software platform.

He notes ITWeb hosted security expert, Charlie Miller, at Security Summit 2014, for example; Miller won the Pwn2own competition with an iPhone root exploit about a decade ago.

Anyway, says Tullett, Coinhive is not mobile malware, nor is it attacking iPhones. "It's running code on the mobile phone's browser, not natively on the phone itself. As such, it is platform-agnostic; iPhones are affected, as are many other browsers, mobile or not.

"Coinhive operators and cyber criminals target anyone they can reach, and a platform-neutral vector will obviously give them the best mileage."

He points out that Coinhive's definition as malware is debatable. "It's pitched as a revenue alternative to Web advertising, allowing users to trade CPU cycles for content. The malware part generally comes up because it's frequently not disclosed to unwitting users, and people don't like that.

"The platform has an option to alert users about its presence, but realistically no one uses it and it's likely just there to mollify people who complain. Also, it doesn't play nice; throttling performance to do its job but not impacting performance/battery life would probably have been a more acceptable compromise."

Processing power

Petri Redelinghuys, a trader and founder of Herenya Capital Advisors, is of the view that cyber criminals are targeting iPhones because of their strong processing capabilities.

"I would imagine they are targeting iPhones because, as much as the Android zealots don't want to admit it, iPhones are very powerful devices in terms of their processing capabilities. They have strong processors and lots of functional memory (RAM) and in the mining game, it's all about crunching the numbers (doing processor-intensive calculations).

"It makes sense to target iPhones also because there are fewer variations of them compared to all the different Android-based phones out there. I would guess so that hackers have a smaller set of variables to account for and can more reliably gain access to processing power without impacting the user's experience with the phone too much," Redelinghuys says.

Coinhive was also dominant across Africa in September, occupying the number one spot on Check Point's Threat Index in both Kenya and Nigeria. It was the second most common malware in SA, second only to Dorkbot.

According to Check Point, widespread instances of Andromeda attacks were reported across Africa last month. The modular bot, which is used for malicious activity, ranked second on the Threat Index in both Kenya and Nigeria, and third in SA. Ranking third in Kenya and Nigeria was Dorkbot.

It notes the Cryptoloot mining malware climbed to third place in the Threat Index, becoming the second most prevalent crypto-miner in the index. Cryptoloot aims to compete with Coinhive by asking a smaller revenue percentage from Web sites than Coinhive.

Concluding, Tullett says: "If you view Coinbase as malware, block it. Ad-blockers will catch it, for example. In time, browsers will be updated to enforce performance thresholds, which will alleviate the impact, so watch for those updates.

"Alternatively, if you are happy to solve crypto-hashes to pay for content, you can leave it alone. It's not fundamentally a bad idea, but Coinbase managed to make it look as shady as possible, which may well poison the well for anyone with better intentions."

Have your say
Facebook icon
Youtube play icon