I noticed a new inbox on my iPhone recently (I have two email accounts that I authorize to come into my iPhone – one for business and one personal). It was called My Accurate Forecasts, and when I opened the mailbox, it had a few hundred spam messages. I dug deeper to see the host and username associated with that inbox and there was some stranger’s email on my phone! I did a bit of research to see if this was some sort of iOS malware and this article outlines what I discovered.
New profile found on my iPhone
When I dug into the issue, I learned about provisioning profiles and that others had similar issues with unwanted inboxes or profiles appearing on their phone. From an Apple forum post: “I had something show up on my iPhone 6 that looked like it was a normal app. Alas, it doesn't appear to be. It looked all right until it asked to be installed through settings. Now it shows up as an actual email address and it appears that it is spam email. I tried to delete the inbox, and there is no option to delete it. Any ideas from where this came?”
There’s not a lot of information out there in mainstream media about this potential iOS malware, but another Apple forum contributor found that provisioning profiles may be at the heart of the problem:
“Provisioning Profiles seem to bestow all sorts of capabilities, such as creating new accounts, installing new root certificates, and in the wrong hands, posing a certain security risk. Applications which install a new root certificate theoretically have the ability to deep-inspect network traffic or even inspect / modify network traffic by setting up a proxy server… “
According to Apple, “A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.” Basically, from what I could gather, a provisioning profile is embedded in an app and installed when the app is launched on your device.
In my case with My Accurate Forecast, the app seemed to piggy back on and freeze the legit Weather Underground (WU) app I have used for the past decade as my go-to for determining my weekend plans. I don’t recall installing a new weather app, but I may have inadvertedly done so when I tried to fix the frozen WU app. Well, that’s my working theory anyways.
When I read the fine print of My Accurate Forecast, it included references to a provisioning profile, and states, “By visiting our website (our ‘Site’ or ‘Website’) and accessing, downloading and/or using the information, resources, services, products, including signing up for our Accurate Weather Forecast Service where we automatically create a read only email address for the purpose of communicating with you (the ‘Service’), you understand and agree to accept and adhere to the following terms and conditions as stated in this Agreement . …”
The terms of service continue, “During your installation of the Services, we may change your settings and install additional profiles on your device to enable our Services. You expressly authorize us to make these changes.”
The email communications include “commercial messages from our advertising partners,” the app language warns.
Ok, I guess they got me! But I am sure that their terms of service never came up even if I did inadvertedly install their app. Something is fishy (or should I say phishy) here.
What can you do about it should it happen to you?
Well, for some reason – likely to avoid being call-out by the Better Business Bureau or maybe to stop people like me jamming up their phone lines to complain about their app – My Accurate Forecasts actually provides instructions on how to delete their app here. Experts report these steps also work with other malicious apps that install a fake or unwanted new profile:
1. Open “settings,” go to “general,” open “profiles” (if you do not see a ‘Profiles’ section, you probably do not have a configuration profile installed.
2. To remove a configuration profile in iOS stay in that “profiles" section hit “delete profile” on the profile that you want removed.
However, the Knowledge Management (KM) team at Indiana University warns that removing a provisioning profile could delete some settings. “In iOS 4 and later and Mac OS X 10.8 and later, you can remove a configuration profile that is outdated, interferes with other profiles, or relates to a service you no longer use. However, be aware that removing a profile will remove all settings associated with it.”
So while this particular iOS malware has not made headlines (yet), if you dig a little deeper, you will see that these problematic apps are looming out there trying to trick you into installing an app that will typically invite tons of spam onto your device. Of more concern is that an app that installs a new profile could potentially monitor all your device’s activity – including intercepting sensitive data.
Choose Sinu for help protecting the data that matters to you. Our IT support services will help safeguard the people at the heart of your business.