A scammer is using an upcoming iPhone jailbreaking tool to trick users into installing shady apps.

Last month, the iOS jailbreaking community rejoiced at the discovery of the checkm8 vulnerability, which promises to let iPhone owners modify the mobile OS and install unsanctioned third-party apps.

That community is currently working on tool, dubbed "Checkra1n," that'll enable a full iOS jailbreak for iPhone models from the 4s to the iPhone X. But in the meantime, a scammer decided to capitalize on the Checkra1n name by spoofing a website that pretends to offer the jailbreaking tool.

The site can, found at checkrain[.]com, includes a button to download the Checkra1n software. But in reality, the site is trying to trick users into installing unrelated third-party apps for click fraud, according to researchers at Cisco's Talos security group.

To fool users, the checkrain[.]com site claims its been working with iOS jailbreaker "CoolStar," and even Google security researcher Ian Beer, on the jailbreaking tool. The site also claims Checkra1n will work on the latest iPhone models installed with the A12 and A13 processors and that it requires no connection to a PC—all false statements. (The checkm8 vulnerability only works on iPhone models with the A5 chip to the A11.)

If you do click on the fake site's download link, you'll be asked to install a "mobileconfig" profile on your iOS device that's disguised to look like a mobile app. "Once the app is downloaded and installed, a checkrain icon appears on the user's iOS springboard. The icon is in fact a kind of bookmark to connect on a URL," Talos security researchers Warren Mercer and Paul Rascagneres wrote in today's post.

Tapping on the fake Checkra1n icon will then bring up a web page that claims your device is installing the jailbreak. But in reality, the device is simply running some Javascript that shows a fake loading screen. At the end of the process, you will then be asked to install additional third-party apps to complete the jailbreak.

"The fake jailbreak process tells the user to have fun for seven days to ensure their unlock completes," Cisco's Talos security researchers said. "This is obviously nonsense—the user will merely provide more interactive sessions through the gameplay, which may result in additional revenue for this attacker."

Fortunately, the whole scheme is focused on click fraud and nothing more malicious. According to the researchers, the fake website was mainly targeting users in the US, Canada, and several European countries. The fake checkrain[.]com site also appears to still be up. However, visiting it can now trigger the Chrome and Safari browser to post a warning about the site's malicious nature. The real Checkra1n site is at checkra1n.com, but it has yet to post anything.

If you downloaded the fake checkra1n app, Cisco's blog post has details on how to remove it.

Further Reading

Security Reviews