Rate the app now on the App Store!

We intentionally didn't add an app rating request popup in our Am I Secure? app since no one likes being pestered while they are trying to use an app!

We have since learned though that not including it was a big mistake since while we have had a very high number of subscription renewals since we launched the app 8 weeks ago, implying very happy users, we have also had very few users that went back to the App Store page for our app to rate it. Why go back to the app's page in the App Store when you already downloaded the app, right? 

If you are happy with our app, either using the free features or as a paid subscriber, your positive reviews are essential for us! To rate or review the app please go to our app's page in the App Store at https://apps.apple.com/app/id6468312814. Your help is greatly appreciated!

To everyone that already gave us a rating, all 5 out of 5, thank you!!! We apologize in advance that the next version of our app will have a popup on occasion to request a rating or review. We see now why so many apps use it, the risk of a single random rating or review is too high if an app does not have a large number of them to offset it. Even with a rating popup most apps only see 1-2% of users respond to the popup and rate the app. Without one, which requires a user to decide to go back to the app's page in the App Store to rate it, we're seeing more like 0.1%.

Many of our new users are from positive word of mouth advertising from existing users sharing the link in the app with others, this helps us so much, thank you!

If you're having any issues with the app, please get in touch at support@numbersstation.app to give us a chance to correct it. We also welcome any feedback or suggestions users may have.

Update on May 23, 2024

We asked both users if we could share a bit more info and after seeing what we posted yesterday, both gave permission.

One is in the pharmaceutical sector in France, other in manufacturing sector (user requested we not name the country). Neither user’s employer is involved with defence related activities and NO connection to manufacturing related to supplying Ukraine. It was one of the first questions we asked.

Both users felt that the threat actor is conducting intellectual property (IP) theft and not targeting them as individuals. Both work for organizations that face routine cyber attacks against their main corporate networks with the assumed primary motivations of attackers being IP theft plus the typical ransomware threat any large corporation faces.

---

Original Post

We recently detected new iOS spyware (we're calling it "Vision") on the devices of two users of our Am I Secure? app. We have user permission to share the following information.

Indicator of Compromise (IoC): /private/var/db/com.apple.xpc.roleaccountd.staging/visioniOS/

There is no legitimate subfolder like this, it is named this way to appear legitimate.

Two devices impacted, users both in Western Europe, one running iOS 17.4.1 at the time of detection and one running iOS 17.5. One iPhone 13 (17.4.1), one iPhone 15 Pro Max (17.5). Neither had Lockdown Mode enabled. No apparent connection between victims (not same industry, not same country, etc.). Victims are not journalists or activists. Neither felt they were a likely target of their own government but potentially of interest to a foreign government.

Very likely this threat actor can install on 17.5.1 as well since that update did not contain any security fixes.

The spyware does not appear to survive restart based on post-restart scanning. Re-exploitation was not observed. No copy of the spyware is currently available (not part of sysdiagnose submission) but one victim contacted law enforcement/government in their jurisdiction for further analysis and a full device backup + 24 hours of network traffic collection was performed before the device was rebooted (to detect command & control infrastructure). Other victim wiped the device upon being notified. Due to no copy yet of the implant, spyware family not yet identified.

The initial exploitation method not yet identified but both victims have multiple messenger apps installed with readily obtainable contact details tied to those messenger apps. Neither recalls any links recently received and neither travelled outside of their country (i.e. not using foreign ISPs or mobile providers where traffic could be modified). Both only had common popular apps installed.

If you want to check your device, create a sysdiagnose file now, don't restart your device, allow 10-15 minutes for it to complete and then submit it via Am I Secure? for analysis. 

Our Am I Secure? for Work product would have also detected these compromises.

Most iOS users are surprised to learn that apps that advertise themselves as "antivirus" or "virus scanners" on the App Store cannot actually scan for viruses, let alone spyware and malware. Huh? What?! Yeah, it's true, it is not possible for 3rd party apps (i.e. ones not from Apple) to access the operating system or system files directly or to access files in other apps to scan them due to what is called app "sandboxing". Sandboxing is a feature in iOS that isolates apps for privacy and security reasons. This includes antivirus apps from all of the major antivirus companies.

We'll explain at the end how Am I Secure? is able to avoid these restrictions and successfully detect spyware, malware and viruses on iOS.

On Android, unlike iOS, it is possible for apps to request special permissions that allow them to access more data than normal outside of the app sandbox, such as all files on the device, to perform virus scanning but this level of access is not permitted on iOS, even if the user wanted to grant it. Due to this, many vendors play sneaky games where they advertise the features of their Android antivirus app while not clarifying that the features are not possible on the iOS version of their app. This feels like a class action lawsuit against them waiting to happen.

So what do these "antivirus" apps on the App Store actually do if they are not able to scan for viruses? They generally provide the following features to give the impression of having security value while implying that they can scan for viruses.

1) Device security check: all they are doing is checking if your device is on the latest version of iOS and if a passcode is set, nothing more, often with a fake "scanning" screen that runs for a few seconds to make it look as if your device is actually being scanned. You don't need an app to tell you these two checks! Some throw in a "jailbreak" check but such checks cannot detect advanced spyware. We do many more checks than this and do so for FREE and only include the iOS version and passcode checks since users expect it from security apps. We have a "scanning" button and screen too but it is because it takes time for our iCloud Private Relay check to complete, something is actually happening in the background.

2) Malicious web site blocking: they claim to protect your iOS device by blocking malicious web sites. Here's a little secret, no one has a list of the handful of web sites that are actively attacking iOS devices right now. Such web sites are usually targeted to specific victims, hand crafted to go after one specific person. The part of the web site containing the attack is not available to anyone but the victim, attackers limit access to the malicious portion of the site to only IP address ranges associated with their victims to protect the technology being used to attack from being discovered. As a result, security researchers have a hard time obtaining the attack exploits and confirming the site is malicious even in the rare occurrence where a potential victim shares the web site with them. If you are outside of the victim's IP address range you get a safe non-malicious version of the web site. All these antivirus companies are doing is using lists of web sites that are known to be malicious to Windows systems and occasionally macOS and Android, totally irrelevant to iOS.  Zero protection or security value for your iOS device.

3) "Safe" network check: looking for "Man-in-the-Middle" (MitM) attacks against common domains, i.e. someone trying to break the encryption between your device and a server.  Our app does this for FREE, others make you pay for it.

4) Identity "protection": there isn't really any protection since that implies they help protect your identity from being stolen in the first place, when all they do is alert you that your information has shown up somewhere on the Internet as part of a breach of a company. You can do this yourself for FREE by visiting a popular site https://haveibeenpwned.com (not affiliated at all with our company), a site that is likely much more comprehensive and timely than the apps offering identity "protection". Google's  "Google One" service also offers a paid "dark web report" that can alert you when your information shows up online.

5) VPN service: we don't generally recommend using a VPN since most of the communications leaving your device these days are already encrypted and trusting a sketchy VPN company with your network traffic allows them to use it for all sorts of malicious purposes. Many of the antivirus apps actually outsource their VPN service in the background to other companies, ones you have never heard of. In North America and Western Europe, we'd sooner trust our local Internet Service Provider (ISP) or cellular/mobile company to handle our network traffic directly. This assessment changes of course if you live in authoritarian countries where Internet access is restricted and/or your local network connectivity can be used to exploit your device. You can also create your own VPN server and use it, the best option no matter where you live! Recently a number of VPN apps on iOS have also been impacted by the "TunnelVision" vulnerability, so if you are using one, it is worth searching for more info on it from sources other than your VPN company's web site.

6) Phishing web site blocking: finally, something these apps can actually do that might be useful and improve your security, blocking web sites that pretend to be a legitimate web site, like your bank, to trick you in to logging in to them to steal your username and password. Even here though, the value this feature offers is questionable since such web sites are put up and taken down rapidly so by the time they are discovered and blocked in the app, the site might not even be online anymore. Sophisticated users aware of cybersecurity threats already know what to look for to avoid phishing sites and most users access their bank and other major sites via an app, not via the web browser.

Common Questions We Get About iOS Antivirus Apps

Question #1: Don't antivirus apps have special entitlements from Apple to be able to access everything required for virus scanning?

A: While there are special entitlements one can receive from Apple, no such entitlement that would cover this exists. So no, Apple does not allow anyone this access, even major antivirus vendors.

Question #2: Don't antivirus apps use privilege escalation exploits to break out of the sandbox to be able to scan?

A: No. Even if an antivirus vendor had such exploits, using them would for sure get a company banned from the App Store but would also rapidly result in the exploit being discovered and patched by Apple so it would only be useful for a very short period of time.

Question #3: A competing app says it can also detect Pegasus spyware, how is that possible if it is limited to the app sandbox?

A: One version of Pegasus spyware, a version that is years old now, was detectable from within the app sandbox and one competing app uses this fact to make it sound like it can detect current infections of Pegasus. After this version was discovered by researchers at Citizen Lab at the University of Toronto, the NSO Group, the creator of Pegasus, rapidly modified it to ensure that it never again left indicators that were detectable from within the app sandbox. The check this app includes was useful years ago and only for a few days before the spyware was updated. No app currently on the App Store other than Am I Secure? is able to detect current versions of spyware, malware or viruses.

How Am I Secure? works

Am I Secure? is the only app using a new technique where the user, via iOS, generates system diagnostic data ("sysdiagnose") and then shares it with our app for analysis. By doing so it allows the Am I Secure? app to access data outside of the app "sandbox" to detect spyware, malware and viruses. Am I Secure? is the ONLY app using this technique and therefore the only app that can actually detect spyware, malware and viruses. Our company has been using this approach to analyze iOS devices for a number of years now and are the only company with widespread experience in this technique with a custom "sysdiagnose" analyzer suite we use to check each submission from our users. Before our app, clients submitted sysdiagnose files to us via email, the app opens up spyware detection to a much wider audience.

As you may have noticed, we haven't updated our blog in a while, we focussed on communications on Twitter/X, but we will once again be routinely updating our blog and notifying users of updates in the app.

More NSO Group related exploits...it never ends. Update iOS ASAP, updates for iOS 16 and 17. 

https://support.apple.com/en-us/HT213926 (iOS 17.0.1)

https://support.apple.com/en-ca/HT213927 (iOS 16.7)

Update Sept 22: turns out it wasn't related to the recent NSO exploit chain, it was Intellexa/Cytrox dropping Predator on a target via a man in the middle attack.  If you can use Apple's iCloud Private Relay, that would stop this type of network injection, use it!

Update your Apple devices ASAP.  Another ImageIO vulnerability which of course likely means it can be triggered via a "zero-click" exploit chain sent to other messaging apps.  Unknown yet which image format(s) it targets specifically, therefore unknown if Lockdown Mode would protect against it or not.  As always, if you're using Numbers Station with quarantine on, you have been protected from this and will continue to be so, even if you do not update...but update!

Update: Apple confirmed that when Lockdown Mode (LM) is enabled it blocks this vulnerability from being exploited. The vulnerability is in the WebP image format which is blocked when LM is enabled.

When a new iOS update comes out, not many people click on the security notes link to see the details. Perhaps they once did but found the info hard to follow or to connect it to how it would impact them.

The recent iOS 16.5.1 (c) release was somewhat clear for average users: "Processing web content may lead to arbitrary code execution".  Many users would understand this to be a vulnerability triggered by web browsing in Safari and perhaps be a bit more careful what they click on until the update is installed. They may not know what arbitrary code execution means but get that it isn't good. They may also miss the point that it impacts apps other than Safari, including most messaging apps, but overall, they get the main point.

But what about when the security notes contain other issues, how does the following impact a user? The following is from the iOS 16.5 security notes:

ImageIO

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

When a user reads "Processing an image may lead to arbitrary code execution", they might assume that it means a user has downloaded a malicious image from some sketchy web site and then opened it in an image editing app or would have to have taken obvious steps to trigger the exploit.  It also doesn't mention specific apps that are vulnerable so probably nothing to worry about, right?

But thanks to the way messaging apps work (except for Numbers Station!), all an attacker has to do to trigger this exploit on a victim's device is to know what identifiers they are using in messaging apps.  For Signal or WhatsApp this would be the victim's mobile phone number. Attackers can search on the victim's identifier in the messaging app to see if they are using it and then send a specially crafted message with a purported image attachment to the victim's account and voila, owned. No victim interaction required, no tricking the victim, nothing...hence it is called a zero-click exploit. The victim's messaging app will happily receive the malicious message, begin processing the "image", the device is exploited and the exploit chain then deletes the incoming message that carried it to the device so the victim never even sees the message. Then all of their sensitive data is exfiltrated back to the attacker.  More advanced attackers will also leave software on the device to continue stealing data in the future, often until the device is rebooted, but in some cases beyond that. Of course there is also the option for the attacker to track the victim via the device's GPS or to listen to discussions happening in the space where the device is located via the built-in microphone.

Numbers Station protects against zero-click exploits, including ones caused by unknown to the public vulnerabilities, in a number of ways.  The initial way is by not processing image attachments in the background as messages arrive. Instead messages from unknown senders, i.e. the attacker in the above scenario, are quarantined with no processing at all of the image attachment, thereby not triggering the exploit. Users can also decide to submit to us any quarantined messages they feel are suspicious for us to analyze and determine if an exploit is present. If one is, we will alert the user and Apple. No other app offers this type of containment or analysis, and without it, it is very difficult to ever find an actual zero-click exploit chain being actively used in the wild. Usually just fragments of artifacts of compromise are found if the user later notices some unusual behaviour occurring, which is rare to begin with, and physically provides their device to a researcher. You can read our FAQ for more info on other ways we protect our users.

Other than using Numbers Station, you can protect yourself by also updating rapidly after an update becomes available, do not put it off.  One of two things happens when a vulnerability is publicly released:

• Attackers that were unaware of the vulnerability begin researching and race to create an exploit to take advantage of it and use it against any of their targets before they update. This could take them a bit of time to do though, so users have a bit of time to update.

• Attackers that already knew about the vulnerability and have an exploit for it in their toolkit begin immediately launching it against any potential target they, or their clients, ever had.  The exploit is already "burned" so there is no longer any concern about burning it.  Before it was public, attackers might have been more selective about who they used it against, now they'll try it against a few thousand targets all at once.

So next time you see "arbitrary code execution" in an issue for ImageIO, immediately read it as "it is highly likely that users of common messaging apps were and are currently actively being exploited and there is nothing the users of those apps could do to detect it or stop it".  Attackers, like Israel's NSO Group and their clients, weep every time one of these vulnerabilities gets discovered and outed publicly, they thrive on ImageIO vulnerabilities. By using Numbers Station, you can stop them even before the vulnerabilities are found.

Samuel Groß (formerly of Google Project Zero) has an excellent blog post on his research in to ImageIO and the impact vulnerabilities in it have for messaging app users. While the post is from 2020, the same types of issues are impacting users today, as recently as iOS 16.5 for certain. It is highly likely that there are still a number of publicly unknown vulnerabilities in ImageIO, or related to image processing in general, that are being actively used against victims of other messaging apps.

The final fix for the issues addressed in iOS 16.5.1 (a) is out.

It appears that yesterday's iOS update has broken a number of web sites when browsed in Safari so the update is no longer available.  Presumably Apple will resolve the compatibility issue while patching the vulnerability and the update will return soon for users.  Once again, Numbers Station users are NOT at risk of zero-click exploitation from this vulnerability provided they do not have other messaging apps installed that are vulnerable.

Apple just released a Rapid Security Response (RSR) for iOS, bringing it to version 16.5.1 (a).  This patches a vulnerability in WebKit that is likely being actively exploited.  Note that because Numbers Station does not preview web links sent as a message in a converation, it is NOT vulnerable to this exploit.  Most other messaging apps though, when receiving a message with a malicious web link, will automatically start previewing the link. The preview triggers the vulnerable code and results in the device being exploited. Once again, Numbers Station is the more secure option.

Our app is now available to the public on Apple's App Store and available for download!

Please note that receiving messages is free along with creating different addresses and exchanging OTP material but sending requires an active paid subscription (subscribing is via an in-app purchase).