This is a weird one to me. See if anybody else has any ideas. I have a cousin using an iPhone 5 with iOS 7. She's not a technical person, but the guy at the Apple store installed the preview OS on her phone anyway. Shortly after the OS update, her yahoo email account started sending spam. Assuming her account had been compromised, she changed her password, but the spam continues to go out. I thought maybe someone was just spoofing her address, but the mail is actually showing up in her sent items. She doesn't have a computer, and the only place she accesses the email from is the iPhone. All I can figure is that she has a virus of some sort on her iPhone. She didn't install any new apps anywhere around the time this started. She says she did open a "weird email" that she thought may be related to it while she was connected to a public wi-fi network. I don't subscribe to the theory that Apple products are impervious to viruses, but without it being jailbroken I thought that nothing could run that wasn't signed by the App store, and she hasn't installed anything new. I'm stumped. Any thoughts?
I also don't subscribe to the notion that Apple products are impervious to malware (I have been running anti-virus applications on my Macs all the way back to the OS 7, OS 8 and OS 9 days...back then there were actual serious virus threats for pre-Mac OS X OSs). iOS, however, is pretty well locked down unless you jailbreak an iOS device. The few instances that I know of where an iOS device has been/could be compromised have been either when it is jailbroken, when the person had direct physical access to the device, or one of the very, very, very rare cases some App laden with malware "type" stuff made it through the Apple App Store review. I am not aware of any instances where something "came in" by way of an "infected" email message and "infected" an iOS device. And assume that there was something out there right now, you likely could find some mention of it by a Google search...after all there are more than enough "talk head" type folks/bloggers/"journalists" that seem to take great pleasure in pointing out Apple's "shortcomings". Thus, while it is not impossible that some email "infected" the iPhone, I find it extremely unlikely.
With all that said, I see two basic possibilities:
- The Apple Store person loaded something else (i.e. loaded a compromised version of iOS 7) on her phone beside iOS 7 (either intentionally or unintentionally)
- Her Yahoo account is compromised
For the first, it based upon me finding it highly unlikely that an Apple Store employee is officially allowed to install iOS 7, which is still only a developer preview ("beta" is overstating it if you as me). Thus, I find it highly suspicious that such an employee would do it...it basically sends all kinds of "flares" off for me. So, if I assume that the Apple Store employee does not have some officially sanctioned path to do it, then that means they did some unofficial path to do it. The two basic way that I am aware of to install iOS 7 are to 1) have an Apple developer account and download from Apple's developer site & install it using that developer account (i.e. the so-called "legal path") or 2) download it from some third party site (i.e. the so-called "less that legal path"). While it is possible that the employee had a developer account of their own (basically anyone can get one as long as you are willing to pay $99 per year), I rather doubt that the employee would do that as it is much more likely that Apple could discover that the person is installing iOS on other people's devices, which then might result in that person losing their job. The more likely situation is that they got it from a third party site. If that is the case, then there is a possibility that the IPSW file that the employee found and downloaded was compromised in some manner. Or, if I release my naturally suspicious mind, maybe the Apple Store employee added something to the mix on their own (if the Apple Store employee is potentially willing to violate company policy [assuming that it is...I don't really know that it is], then this is not too fair fetched). If this is the case, then in theory, reverting to iOS 6 should fix things. Since she did not do the update herself, she may not have an IPSW file/backup for the latest version of iOS 6, which then gets back into downloading one from a third party site.
The second seems more likely overall...except you said she did change her password. In theory, if the Yahoo account was compromised, then changing the password typically would solve that problem. Let me ask...how does she access the Yahoo account? Does she use the built-in Mail client or does she use the Yahoo Mail app? I ask because I believe that Yahoo still only offers POP access for email clients when using a "free" Yahoo account...if so, then using the built-in Apple Mail client would not likely show any messages in the Sent folder that were sent from any other devices...i.e. some other devices that the compromised account is being accessed from. So, in theory, if the account is compromised and someone is sending the messages from another device (i.e. a computer somewhere), then those messages would NOT likely show up in Apple Mail, but WOULD show up in Yahoo Mail. The other way to test whether the account is compromised is to look at the recent account activity:
Looking at the list of recent activity on the account should help your cousin determine if someone else is accessing her account.