As Michelle and Nathan and I have discussed previously, there is a vulnerability that exists on older iOS hardware that can be used to jailbreak those devices. However, Cisco Talos has recently discovered that cybercriminals have set up a fake website aiming to take advantage of users wanting to jailbreak their iPhones.
Instead of jailbreaking a user's device, the site actually just prompts users to download a malicious profile that the attackers then use for click fraud.
Checkm8 is a bootrom vulnerability that impacts all older models of the iPhone from the 4S through the X. The campaign discovered by Cisco Talos attempts to capitalize on a project called checkrain which uses the checkm8 vulnerability to modify an iPhone's bootrom and load a jailbroken image onto the device.
The attackers being tracked by Cisco Talos run a malicious website called checkrain.com that preys on users searching for the legitimate checkrain project.
The fake checkrain site attempts to appear to be legitimate by claiming to work with popular jailbreaking researchers such as “CoolStar” and Google Project Zero's Ian Beer. The page prompts users to download an application to jailbreak their phone but there actually is no application, as the attackers are trying to install a malicious profile onto the end-user device.
When a user first visits the fake website, they are presented with a download button. Cisco Talos noticed several things about the site, including the mention of A13 devices which aren't vulnerable to Checkm8, which indicate that the website is not legitimate.
The website further claims that users can install the checkrain jailbreak without using a PC, however the real Checkm8 exploit requires that the iOS device be in DFU mode and is exploitable using an Apple USB cable. Another clue was the fact that the fake checkrain site uses an SSL certificate from LetsEncrypt while the actual site doesn't even have an SSL certificate.
Once the download button is clicked, an app with a checkrain icon is downloaded and installed onto a user's iPhone. But while the icon may appear like a regular app, it is actually a bookmark to connect to a URL.
Instead of providing users with an authentic jailbreak, the attackers are instead using the effected devices to commit click fraud.
As tempting as a jailbroken device may seem, for whatever reason or another, by trying to exploit the Checkm8 vulnerability, you could be opening your device and your data to hackers.
My recommendation is, if you're not sure what it is you should be looking for, leave it along and let your device run as intended.