iOS 10.3, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards.
This ransomware campaign was first spotted by mobile security firm Lookout last month after one of its clients had his Safari browser locked and unable to use it.
Lookout experts analyzed the threat and discovered that crooks behind this new campaign were using an older iOS exploit shared on a Russian website.
According to Lookout, this exploit affected all iOS versions from iOS 8 to the current iOS 10.2. The exploit leveraged a bug in how mobile Safari showed popup notifications, effectively blocking the user's access to the browser through an endless loop of popups.
Crooks discovered that if they attempted to load a non-existent local URL, mobile Safari would enter an infinite loop, showing a popup that read "Cannot open page."
Their campaign relied on secretly redirecting, or tricking users into accessing a malicious page where their exploit code was hosted.
This page showed alarmist messages that attempted to pass as warnings from law enforcement, accusing users of watching illegal pornography or accessing copyrighted content.
When the exploit code executed, the popup would appear and lock the user's Safari browser on their page. Clicking "OK" in the popup would show an identical popup, over and over again.
The exploit tried to mimic the actions of classic ransomware strains, but in reality, it never encrypted any data, only blocking access to the iOS Safari browser.
Lookout experts say that users with technical expertise could have removed this lock screen by cleaning the browser's cache. This operation can be done by navigating to the iOS Settings page, selecting Safari, and then the Clear History and Website Data option.
The ransomware campaign used several domains and localized pages that specifically targeted users based in Australia, New Zealand, Ireland, the UK, and the US.
To give legitimacy to their ransom demands, attackers used domains and email addresses referencing government agencies or Apple terms.
http://x-ios-validation.com http://police-pay.com US email: networksafetydept@usa[.]com Ireland email: justicedept@irelandmail[.]com UK email: cybercrimegov@europe[.]com Australia email: federaljustice@australiamail[.]com New Zealand email: cybercrimegov@post[.]com
The security firm says it notified Apple about this ransomware campaign and the Safari bug it exploited last month.
With the release of iOS 10.3, Apple has now fixed this issue by changing how Safari handles popups. Starting with iOS 10.3, popups will only block the current tab, not the entire browser, allowing users to close the tab and continue using the browser.