Ask HN: iOS App Installed by Malware?

6 points by m_eiman ↗ HN
Ok, this was weird. Wife got email about her Apple ID password being reset at 18:07 (when she was in a store, phoning me).

At 21:29 she she got an email about a new subscription in an app she hadn’t heard of. We were watching TV at the time; she definitely didn't order the subscription since she hadn't even heard of the app.

We checked, and was installed today on her phone (she didn’t do it).

We immediately cancelled the subscription, reset her Apple ID password and installed the iOS 14.4 update (she was on 14.3).

This shouldn’t be possible, so how did it happen? Some fraud scheme using iOS bugs to force-install apps and start subscriptions? Is that even something that happens? Has anyone else seen something like this?

8 comments

[ 2.8 ms ] story [ 22.3 ms ] thread
There's are options in iOS to automatically download content that's been downloaded on other devices. One option is for media (music & video) and the other is for apps.

The attacker logged into the account on a real device and installed the app, probably by accident. Chances are, the compromised account was sold and someone bought it to be able to "buy" paid apps for free.

She has that disabled.

The app was only installed on her iPhone, not her iPad. The App store list says she bought it ”today”, but no time is provided.

Two factor auth is enabled.

The notification emails from Apple don’t include the IP address of the device causing the event, it seems, so no way to know if it was ”us”.

I would still err on the side of a bug around that feature (where it would appear disabled but it’s actually enabled) as opposed to a proper iOS exploit.

I suggest you use Apple’s “download your data” tool and request an archive. If anything, that’ll contain extra details about that other rogue device and whatever the attacker did. It will also contain IP addresses.

Did she have a weak or reused password, combined with lack of 2FA? Run her email through haveibeenpwned.
It’s possible she has used the email elsewhere, but she doesn’t use her Apple ID email address anywhere else, only with Apple.
Dude :) I asked: did she re-use passwords, which you didn't answer. I also asked: did she have 2FA enabled, which you also didn't answer. Then I said: run her email through haveibeenpwned, which you didn't acknowledge.

It's all fine to me, I'm just trying to help here :)

> This shouldn’t be possible, so how did it happen?

Someone guessed her password.

She should change it again.

Call Apple Support.