Blog

September 20, 2024

KEYLOGGER/3rd party keyboard BUG

Due to changes in iOS 18.0, some users are seeing legitimate Apple keyboards showing up in the list of keyloggers/3rd party keyboards.  We already have a fix in place and will be rolling it out in the next version of Am I Secure?. Examples of erroneously detected ones are "en_CA@ml=2". We didn't see this during iOS 18 beta testing for some reason otherwise we would have fixed it before iOS 18 went public.

June 9, 2024

Please help us! we need your assistance!

Rate the app now on the App Store!

We intentionally didn't add an app rating request popup in our Am I Secure? app since no one likes being pestered while they are trying to use an app!

We have since learned though that not including it was a big mistake since while we have had a very high number of subscription renewals since we launched the app 8 weeks ago, implying very happy users, we have also had very few users that went back to the App Store page for our app to rate it. Why go back to the app's page in the App Store when you already downloaded the app, right? 

If you are happy with our app, either using the free features or as a paid subscriber, your positive reviews are essential for us! To rate or review the app please go to our app's page in the App Store at https://apps.apple.com/app/id6468312814. Your help is greatly appreciated!

To everyone that already gave us a rating, all 5 out of 5, thank you!!! We apologize in advance that the next version of our app will have a popup on occasion to request a rating or review. We see now why so many apps use it, the risk of a single random rating or review is too high if an app does not have a large number of them to offset it. Even with a rating popup most apps only see 1-2% of users respond to the popup and rate the app. Without one, which requires a user to decide to go back to the app's page in the App Store to rate it, we're seeing more like 0.1%.

Many of our new users are from positive word of mouth advertising from existing users sharing the link in the app with others, this helps us so much, thank you!

If you're having any issues with the app, please get in touch at support@numbersstation.app to give us a chance to correct it. We also welcome any feedback or suggestions users may have.

May 22, 2024

new "VISION" spyware detected via am i secure? app

Update on May 23, 2024

We asked both users if we could share a bit more info and after seeing what we posted yesterday, both gave permission.

One is in the pharmaceutical sector in France, other in manufacturing sector (user requested we not name the country). Neither user’s employer is involved with defence related activities and NO connection to manufacturing related to supplying Ukraine. It was one of the first questions we asked.

Both users felt that the threat actor is conducting intellectual property (IP) theft and not targeting them as individuals. Both work for organizations that face routine cyber attacks against their main corporate networks with the assumed primary motivations of attackers being IP theft plus the typical ransomware threat any large corporation faces.

---

Original Post

We recently detected new iOS spyware (we're calling it "Vision") on the devices of two users of our Am I Secure? app. We have user permission to share the following information.

Indicator of Compromise (IoC): /private/var/db/com.apple.xpc.roleaccountd.staging/visioniOS/

There is no legitimate subfolder like this, it is named this way to appear legitimate.

Two devices impacted, users both in Western Europe, one running iOS 17.4.1 at the time of detection and one running iOS 17.5. One iPhone 13 (17.4.1), one iPhone 15 Pro Max (17.5). Neither had Lockdown Mode enabled. No apparent connection between victims (not same industry, not same country, etc.). Victims are not journalists or activists. Neither felt they were a likely target of their own government but potentially of interest to a foreign government.

Very likely this threat actor can install on 17.5.1 as well since that update did not contain any security fixes.

The spyware does not appear to survive restart based on post-restart scanning. Re-exploitation was not observed. No copy of the spyware is currently available (not part of sysdiagnose submission) but one victim contacted law enforcement/government in their jurisdiction for further analysis and a full device backup + 24 hours of network traffic collection was performed before the device was rebooted (to detect command & control infrastructure). Other victim wiped the device upon being notified. Due to no copy yet of the implant, spyware family not yet identified.

The initial exploitation method not yet identified but both victims have multiple messenger apps installed with readily obtainable contact details tied to those messenger apps. Neither recalls any links recently received and neither travelled outside of their country (i.e. not using foreign ISPs or mobile providers where traffic could be modified). Both only had common popular apps installed.

If you want to check your device, create a sysdiagnose file now, don't restart your device, allow 10-15 minutes for it to complete and then submit it via Am I Secure? for analysis. 

Our Am I Secure? for Work product would have also detected these compromises.

May 20, 2024

"antivirus" apps on ios cannot actually scan for viruses!

Most iOS users are surprised to learn that apps that advertise themselves as "antivirus" or "virus scanners" on the App Store cannot actually scan for viruses, let alone spyware and malware. Huh? What?! Yeah, it's true, it is not possible for 3rd party apps (i.e. ones not from Apple) to access the operating system or system files directly or to access files in other apps to scan them due to what is called app "sandboxing". Sandboxing is a feature in iOS that isolates apps for privacy and security reasons. This includes antivirus apps from all of the major antivirus companies.

We'll explain at the end how Am I Secure? is able to avoid these restrictions and successfully detect spyware, malware and viruses on iOS.

On Android, unlike iOS, it is possible for apps to request special permissions that allow them to access more data than normal outside of the app sandbox, such as all files on the device, to perform virus scanning but this level of access is not permitted on iOS, even if the user wanted to grant it. Due to this, many vendors play sneaky games where they advertise the features of their Android antivirus app while not clarifying that the features are not possible on the iOS version of their app. This feels like a class action lawsuit against them waiting to happen.

So what do these "antivirus" apps on the App Store actually do if they are not able to scan for viruses? They generally provide the following features to give the impression of having security value while implying that they can scan for viruses.

1) Device security check: all they are doing is checking if your device is on the latest version of iOS and if a passcode is set, nothing more, often with a fake "scanning" screen that runs for a few seconds to make it look as if your device is actually being scanned. You don't need an app to tell you these two checks! Some throw in a "jailbreak" check but such checks cannot detect advanced spyware. We do many more checks than this and do so for FREE and only include the iOS version and passcode checks since users expect it from security apps. We have a "scanning" button and screen too but it is because it takes time for our iCloud Private Relay check to complete, something is actually happening in the background.

2) Malicious web site blocking: they claim to protect your iOS device by blocking malicious web sites. Here's a little secret, no one has a list of the handful of web sites that are actively attacking iOS devices right now. Such web sites are usually targeted to specific victims, hand crafted to go after one specific person. The part of the web site containing the attack is not available to anyone but the victim, attackers limit access to the malicious portion of the site to only IP address ranges associated with their victims to protect the technology being used to attack from being discovered. As a result, security researchers have a hard time obtaining the attack exploits and confirming the site is malicious even in the rare occurrence where a potential victim shares the web site with them. If you are outside of the victim's IP address range you get a safe non-malicious version of the web site. All these antivirus companies are doing is using lists of web sites that are known to be malicious to Windows systems and occasionally macOS and Android, totally irrelevant to iOS.  Zero protection or security value for your iOS device.

3) "Safe" network check: looking for "Man-in-the-Middle" (MitM) attacks against common domains, i.e. someone trying to break the encryption between your device and a server.  Our app does this for FREE, others make you pay for it.

4) Identity "protection": there isn't really any protection since that implies they help protect your identity from being stolen in the first place, when all they do is alert you that your information has shown up somewhere on the Internet as part of a breach of a company. You can do this yourself for FREE by visiting a popular site https://haveibeenpwned.com (not affiliated at all with our company), a site that is likely much more comprehensive and timely than the apps offering identity "protection". Google's  "Google One" service also offers a paid "dark web report" that can alert you when your information shows up online.

5) VPN service: we don't generally recommend using a VPN since most of the communications leaving your device these days are already encrypted and trusting a sketchy VPN company with your network traffic allows them to use it for all sorts of malicious purposes. Many of the antivirus apps actually outsource their VPN service in the background to other companies, ones you have never heard of. In North America and Western Europe, we'd sooner trust our local Internet Service Provider (ISP) or cellular/mobile company to handle our network traffic directly. This assessment changes of course if you live in authoritarian countries where Internet access is restricted and/or your local network connectivity can be used to exploit your device. You can also create your own VPN server and use it, the best option no matter where you live! Recently a number of VPN apps on iOS have also been impacted by the "TunnelVision" vulnerability, so if you are using one, it is worth searching for more info on it from sources other than your VPN company's web site.

6) Phishing web site blocking: finally, something these apps can actually do that might be useful and improve your security, blocking web sites that pretend to be a legitimate web site, like your bank, to trick you in to logging in to them to steal your username and password. Even here though, the value this feature offers is questionable since such web sites are put up and taken down rapidly so by the time they are discovered and blocked in the app, the site might not even be online anymore. Sophisticated users aware of cybersecurity threats already know what to look for to avoid phishing sites and most users access their bank and other major sites via an app, not via the web browser.


Common Questions We Get About iOS Antivirus Apps

Question #1: Don't antivirus apps have special entitlements from Apple to be able to access everything required for virus scanning?

A: While there are special entitlements one can receive from Apple, no such entitlement that would cover this exists. So no, Apple does not allow anyone this access, even major antivirus vendors.

Question #2: Don't antivirus apps use privilege escalation exploits to break out of the sandbox to be able to scan?

A: No. Even if an antivirus vendor had such exploits, using them would for sure get a company banned from the App Store but would also rapidly result in the exploit being discovered and patched by Apple so it would only be useful for a very short period of time.

Question #3: A competing app says it can also detect Pegasus spyware, how is that possible if it is limited to the app sandbox?

A: One version of Pegasus spyware, a version that is years old now, was detectable from within the app sandbox and one competing app uses this fact to make it sound like it can detect current infections of Pegasus. After this version was discovered by researchers at Citizen Lab at the University of Toronto, the NSO Group, the creator of Pegasus, rapidly modified it to ensure that it never again left indicators that were detectable from within the app sandbox. The check this app includes was useful years ago and only for a few days before the spyware was updated. No app currently on the App Store other than Am I Secure? is able to detect current versions of spyware, malware or viruses.


How Am I Secure? works

Am I Secure? is the only app using a new technique where the user, via iOS, generates system diagnostic data ("sysdiagnose") and then shares it with our app for analysis. By doing so it allows the Am I Secure? app to access data outside of the app "sandbox" to detect spyware, malware and viruses. Am I Secure? is the ONLY app using this technique and therefore the only app that can actually detect spyware, malware and viruses. Our company has been using this approach to analyze iOS devices for a number of years now and are the only company with widespread experience in this technique with a custom "sysdiagnose" analyzer suite we use to check each submission from our users. Before our app, clients submitted sysdiagnose files to us via email, the app opens up spyware detection to a much wider audience.


As you may have noticed, we haven't updated our blog in a while, we focussed on communications on Twitter/X, but we will once again be routinely updating our blog and notifying users of updates in the app.

September 21, 2023

iOS 17.0.1 and ios 16.7 available, update now

More NSO Group related exploits...it never ends. Update iOS ASAP, updates for iOS 16 and 17. 

https://support.apple.com/en-us/HT213926 (iOS 17.0.1)

https://support.apple.com/en-ca/HT213927 (iOS 16.7)


Update Sept 22: turns out it wasn't related to the recent NSO exploit chain, it was Intellexa/Cytrox dropping Predator on a target via a man in the middle attack.  If you can use Apple's iCloud Private Relay, that would stop this type of network injection, use it!

September 7, 2023

another imageio vulnerability...oh no...

Update your Apple devices ASAP.  Another ImageIO vulnerability which of course likely means it can be triggered via a "zero-click" exploit chain sent to other messaging apps.  Unknown yet which image format(s) it targets specifically, therefore unknown if Lockdown Mode would protect against it or not.  As always, if you're using Numbers Station with quarantine on, you have been protected from this and will continue to be so, even if you do not update...but update!

Update: Apple confirmed that when Lockdown Mode (LM) is enabled it blocks this vulnerability from being exploited. The vulnerability is in the WebP image format which is blocked when LM is enabled.

August 15, 2023

$500K or less to hack signal

Exploits give an attacker their initial access to a target's device, what people think of as the start of the "hack".  Many governments buy exploits and like anything else, the rarer one is or the harder it was to create, the more money the seller will expect to receive for it. Many of these exploits are delivered to target's devices via messaging apps, often referred to as "zero-click" exploits. This access is then used to read all of the messages stored in the app or to expand to everything on the device.  Note that this has nothing to do with breaking or decrypting the end-to-end encryption of these apps, it's directly gaining access to the app itself since it is not, currently anyway, possible to break the encryption used by most messaging apps today.

Since it has become more difficult for attackers to find new exploits for some of the most widely used operating systems and applications, there are companies that do nothing but act as brokers to buy and sell these exploits.  Often these companies combine together individual exploits acquired from different people to form a series of them called a "chain" that allows full access to the target's device.

It's always interesting to watch what's going on in the underground as well as the overt exploit broker markets, the direction pricing is going overall and which operating systems and applications are currently commanding the highest prices. Gives one a sense of where the attackers think they have things covered and where they do not.

The overt brokers (the ones with web sites and social media accounts) often overinflate how much they are offering on their web sites, to out compete other brokers offering less and attract exploit developers to go to them first. One can usually expect to be offered 25-50% less than the advertised price for most of what they're buying. Only for the hardest to find exploits will they usually match their advertised pricing, so the higher the price they are offering, the more likely they'll actually match it. The stuff in the middle, expect a discount. They also pay exploit developers out over a period of time, they don't want to pay $1.5M USD for something and a day later it gets patched and becomes almost worthless. This also ensures the person selling the exploit to the broker won't play them by then turning around and making another $1M USD from someone like Apple that buys vulnerabilities to fix them and protect users. On a $1.5M USD deal, a broker would typically pay $500K USD on day one then another $250K USD every 3 months until the full $1.5M USD is paid or the vulnerabilities are patched, whichever comes first.  Often for really in demand exploit chains, such as against iMessage, there are bonuses paid out beyond the advertised price if the entire exploit chain remains unpatched beyond the one year mark, often every 3 months. This is to incentivize the exploit developer to not out it to Apple after they already were fully paid by the broker. If it's a chain of vulnerabilities that are used and only one gets patched, then some payments might continue but at a much reduced rate.

Some exploits target a specific app first while others directly impact the operating system (e.g. iOS) and just use the app as a delivery mechanism without actually gaining remote code execution (RCE) in the app itself.  For example, a vulnerability in iOS' ImageIO library can often be triggered via iMessage, Signal, WhatsApp and Facebook Messenger without achieving RCE in the app first. Ones that are app specific typically only allow access to the data within the impacted app as well as whatever permissions it has (access to photos, camera, microphone, location, etc.) but can be used with other exploits to expand beyond the app, i.e. "break out of the sandbox".

Looking at the chart at the end of this blog entry, the parts we're focussing on are highlighted. You can see right away that the most in demand exploit chains, i.e. the most expensive, all target messaging apps. This is because they are often the only way to deliver an exploit to a target without their involvement (i.e. "zero-click"). It's also because they are the easiest to use operationally, just need the target's mobile phone number or e-mail address to message them, and because they have next to zero risk for the attacker of being caught.

ZERODIUM is offering $1.5M USD for iMessage or WhatsApp zero-click and $500K USD for Signal, Telegram or Facebook Messenger. Surprised to see ZERODIUM are not currently actively buying zero-click exploits for Signal, Telegram and Facebook Messenger. Either they already have a full chain or two and just want to buy additional segments for them for redundnancy, in case parts of the chains get patched, or it's because a zero-click exploit that targets the OS but that is delivered via iMessage or WhatsApp can often be reused for other messaging apps.  Surprised to see WhatsApp valued as highly as iMessage at the $1.5M USD mark for a zero-click version.  WhatsApp must be upping their security game!  Part of the reason why iMessage is so expensive is a mix of difficulty to exploit but also the fact that the vast, vast majority of iOS users have it enabled so it allows access to almost all iOS devices.  Signal on the other hand might only be used by some of a government's target set.  An attacker could also use an iMessage exploit to gain full access to a device that is also running Signal and grab all of the messages that way instead.

Some security researchers we've spoken with that have been contacted and pitched by underground exploit brokers said they were quoting the same $1.5M USD as ZERODIUM for iMessage zero-click chains but a flat $300K USD for all other messengers (including WhatsApp) and for zero-click for all, so quite a difference from ZERODIUM.

Hoping this demonstrates how active the threat is against messenger app users, especially those that find themselves intelligence targets of certain governments, and how valuable our app's protection is. While ZERODIUM claims to not sell to governments with a bad human rights record, there are many others in the same business that definitely do. If you've pissed off the Saudis, the Emiratis...any of the outed buyers of these companies, you seriously need to consider disabling and uninstalling all of your messaging apps. If you still need to message, then move to Numbers Station with the maximum protection settings enabled. 

Our goal at Numbers Station is to of course protect our users but to also block and out the exploits used against them so companies like Apple can fix any vulnerabilities in their software to protect all iOS users, even those not using our app.  Our longer term goal is to capture fresh exploits so rapidly that their shelf life is too short to justify their cost and the exploit broker industry reduces in size or fewer governments can afford their products. At the very least we want to change the attackers risk/reward calculation, launching attacks on thousands of users of other messaging apps may be close to zero risk of being detected and having their exploit chain outed but hitting just a single Numbers Station user could be the end of it for them.

Update: received a question concerning the $2.5M and $2M "FCP Zero Click" payouts in the chart below and how they differ from the $1.5M one. In short the attacker's malicious software can survive a reboot of the device. For most attackers though, this isn't a big deal to have, if they haven't heard from the target's device lately they just send another message to the target and re-exploit it. Once again, other messaging apps don't address this threat at all so next to zero risk for the attacker to just keep re-exploiting as needed.


The following image was downloaded from https://zerodium.com/program.html on August 13, 2023.

July 18, 2023

iOS security notes: how do they impact me and folks like the NSO Group?

When a new iOS update comes out, not many people click on the security notes link to see the details. Perhaps they once did but found the info hard to follow or to connect it to how it would impact them.

The recent iOS 16.5.1 (c) release was somewhat clear for average users: "Processing web content may lead to arbitrary code execution".  Many users would understand this to be a vulnerability triggered by web browsing in Safari and perhaps be a bit more careful what they click on until the update is installed. They may not know what arbitrary code execution means but get that it isn't good. They may also miss the point that it impacts apps other than Safari, including most messaging apps, but overall, they get the main point.

But what about when the security notes contain other issues, how does the following impact a user? The following is from the iOS 16.5 security notes:

ImageIO

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

When a user reads "Processing an image may lead to arbitrary code execution", they might assume that it means a user has downloaded a malicious image from some sketchy web site and then opened it in an image editing app or would have to have taken obvious steps to trigger the exploit.  It also doesn't mention specific apps that are vulnerable so probably nothing to worry about, right?

But thanks to the way messaging apps work (except for Numbers Station!), all an attacker has to do to trigger this exploit on a victim's device is to know what identifiers they are using in messaging apps.  For Signal or WhatsApp this would be the victim's mobile phone number. Attackers can search on the victim's identifier in the messaging app to see if they are using it and then send a specially crafted message with a purported image attachment to the victim's account and voila, owned. No victim interaction required, no tricking the victim, nothing...hence it is called a zero-click exploit. The victim's messaging app will happily receive the malicious message, begin processing the "image", the device is exploited and the exploit chain then deletes the incoming message that carried it to the device so the victim never even sees the message. Then all of their sensitive data is exfiltrated back to the attacker.  More advanced attackers will also leave software on the device to continue stealing data in the future, often until the device is rebooted, but in some cases beyond that. Of course there is also the option for the attacker to track the victim via the device's GPS or to listen to discussions happening in the space where the device is located via the built-in microphone.

Numbers Station protects against zero-click exploits, including ones caused by unknown to the public vulnerabilities, in a number of ways.  The initial way is by not processing image attachments in the background as messages arrive. Instead messages from unknown senders, i.e. the attacker in the above scenario, are quarantined with no processing at all of the image attachment, thereby not triggering the exploit. Users can also decide to submit to us any quarantined messages they feel are suspicious for us to analyze and determine if an exploit is present. If one is, we will alert the user and Apple. No other app offers this type of containment or analysis, and without it, it is very difficult to ever find an actual zero-click exploit chain being actively used in the wild. Usually just fragments of artifacts of compromise are found if the user later notices some unusual behaviour occurring, which is rare to begin with, and physically provides their device to a researcher. You can read our FAQ for more info on other ways we protect our users.

Other than using Numbers Station, you can protect yourself by also updating rapidly after an update becomes available, do not put it off.  One of two things happens when a vulnerability is publicly released:

So next time you see "arbitrary code execution" in an issue for ImageIO, immediately read it as "it is highly likely that users of common messaging apps were and are currently actively being exploited and there is nothing the users of those apps could do to detect it or stop it".  Attackers, like Israel's NSO Group and their clients, weep every time one of these vulnerabilities gets discovered and outed publicly, they thrive on ImageIO vulnerabilities. By using Numbers Station, you can stop them even before the vulnerabilities are found.

Samuel Groß (formerly of Google Project Zero) has an excellent blog post on his research in to ImageIO and the impact vulnerabilities in it have for messaging app users. While the post is from 2020, the same types of issues are impacting users today, as recently as iOS 16.5 for certain. It is highly likely that there are still a number of publicly unknown vulnerabilities in ImageIO, or related to image processing in general, that are being actively used against victims of other messaging apps.

July 12, 2023

iOS 16.5.1 (C) is out

The final fix for the issues addressed in iOS 16.5.1 (a) is out.

July 11, 2023

iOS 16.5.1 (a) update is pulled

It appears that yesterday's iOS update has broken a number of web sites when browsed in Safari so the update is no longer available.  Presumably Apple will resolve the compatibility issue while patching the vulnerability and the update will return soon for users.  Once again, Numbers Station users are NOT at risk of zero-click exploitation from this vulnerability provided they do not have other messaging apps installed that are vulnerable.

July 10, 2023

iOS 16.5.1 (a) is out, Numbers station is NOT at risk

Apple just released a Rapid Security Response (RSR) for iOS, bringing it to version 16.5.1 (a).  This patches a vulnerability in WebKit that is likely being actively exploited.  Note that because Numbers Station does not preview web links sent as a message in a converation, it is NOT vulnerable to this exploit.  Most other messaging apps though, when receiving a message with a malicious web link, will automatically start previewing the link. The preview triggers the vulnerable code and results in the device being exploited. Once again, Numbers Station is the more secure option.

July 1, 2023

We've launched the app!

Our app is now available to the public on Apple's App Store and available for download!

Please note that receiving messages is free along with creating different addresses and exchanging OTP material but sending requires an active paid subscription (subscribing is via an in-app purchase).