Site icon The Mac Security Blog

Is Your iPhone’s Lockdown Mode Fake? – Intego Mac Podcast Episode 321

Fake loan apps aren’t getting removed from the Apple App Store fast enough, and scammers continue to prey on users. Push notifications can be hacked to grab your personal information; we explain how it’s being done by government agencies. And we take a look at a newly discovered technique that can fool users of Apple’s Lockdown Mode.


If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.


Transcript of Intego Mac Podcast episode 321

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, December 7, 2023.

This week’s Intego Mac Podcast security headlines include: Fake loan apps aren’t getting removed from the Apple Store fast enough. And scammers continue to prey on users. Push notifications can be hacked, to grab your personal information. We explain how it’s being done by government agencies. And we take a look at a newly discovered technique that can fool users of Apple’s Lockdown Mode. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:46
Good morning, Josh, how are you today?

Josh Long 0:48
I’m doing well. How are you, Kirk?

Observing a macOS 10 anniversary

Kirk McElhearn 0:50
I’m doing fine. We’re recording on December 6, and yesterday was an anniversary. Do you know what it was an anniversary of?

Josh Long 0:56
It was the 22nd anniversary of the final release of macOS? Nine 9.2.2.

Kirk McElhearn 1:03
Do you know what it was also an anniversary of?

Josh Long 1:06
No. What else?

Kirk McElhearn 1:08
It was the 90th anniversary of the repeal of Prohibition? (Oh, okay. Well, there you go.) Nothing in common between the two. But we talked about before the show we were talking about it was around this time of year around December, when I finally switched from macOS to macOS 10. Because I had a book project coming up writing a book about Office for macOS 10. macOS 10.0 came out in March and macOS 10.1 came out in September. So after what a year or year and a half of public beta 10.0 was not entirely finished. But 10.1 was, as you would say, “ready for primetime”. So macOS 9.2, you could have used it for a while with older Macs. But this is the period when the big change started happening. It was slow, it was gradual. But this is where the Mac shifted so much from, you know, the old fashioned macOS to, just think, a version of macOS where you have user accounts.

Josh Long 2:03
9.2.2 was also the version that you continued using all the way up through I think it was macOS 10.4 Tiger. So basically what you used to do, if you wanted to continue running old Mac apps on your macOS 10 machine, it would boot up the Classic environment. So you’d actually see the the old macOS logo and the icons marching across the bottom of the screen for you as your Extensions loaded. And then that would disappear. And then you would be able to run your old Classic apps, more or less transparently as separate applications on your macOS 10 machine.

Kirk McElhearn 2:39
It’s a huge transition. And we’ve talked about it recently to transition from Intel to Apple silicon before that from PowerPC. To Intel, it’s a huge transition. We don’t really notice the transition in the processors in much that’s all behind the scenes. But that was a big transition from the old macOS to macOS 10. And I would argue that it really worked out very well for apple that it was a simpler system, it was much more modern and efficient. And it made Apple devices a better competitor in schools and in offices than they had been previously.

Josh Long 3:14
Completely agree. Yeah, from like a stability perspective. I mean, having a Unix-like operating system as the underpinning was a really, really good move for Apple.

What is the Turtle Ransomware?

Kirk McElhearn 3:24
Okay, we sound old here reminiscing about the old days. Let’s talk about the Turtle macOS ransomware. You know, I often laugh at some of the funny names they make up and this one’s good: Turtle. Who’s worried about a Turtle?

Josh Long 3:36
Turtle doesn’t doesn’t sound too dangerous, right? What’s the Turtle going to do to me, but this particular ransomware has actually been around for a while, but it just sort of like surfaced recently as somebody came across this on VirusTotal, which is a site where anybody can upload a file and test to see whether any of like almost 70 Different antivirus engines detect to this some whatever file as malware or not. So this particular sample, one of these samples only had about 24 detections out of the 62 engines that looked at this particular sample. So it’s that’s a pretty low detection rate. Other samples had about eight out of 62. So basically, even if you had a lot of antivirus software, it may not have necessarily caught this. And there’s a whole bunch of different variations of this malware to there are a couple of different Mac variants of it and a whole bunch of Windows and Linux variants of it as well. It behaves pretty much like you would expect ransomware to behave so when it starts encrypting files. It puts a special file name extension at the end of the file. So it’ll add “dot turtle rand v zero” to the end, and that’s probably where the name Turtle comes from is this extension that it adds on to the end of encrypted files. But fear not. Intego VirusBarrier will protect you from this malware.

Fake Loan Apps on the App Store

Kirk McElhearn 5:05
Always. We have a story that we want to talk about very briefly, a fraud loan app is ranking number one in App Store search results in India after just three days. Now, we talked about this problem several times on the podcast, something specific to the Indian economy, allows people to lend money through apps. I know that here in the UK banking regulations wouldn’t allow that. I mean, I can take out a loan from my bank using my bank app, right, but I can’t just take some random app and borrow money. The problem here is that a lot of these apps are frauds. And I don’t know what to do about it. If Apple’s not able to weed out these frauds. They’re putting people at risk, aren’t they?

Josh Long 5:43
Yeah, and India is really not the only country. There’s one particular guy who does this, like voluntarily, he took the month of November off, which is why we haven’t talked about it for a little while. But he got back into it. He’s like, You know what, I took my mental health break from this volunteer work that I’m doing. And I’m gonna come back to it now, because it’s still a big problem. So India, Nigeria, Indonesia, and Thailand are the four countries that he’s been focusing on researching. He lives in India. So most of these apps that he finds are from the India App Store. But nevertheless, I mean, this, this does continue to be a problem with loan apps in particular is the thing that he typically researches. But, again, we’ve seen lots of examples of other things we just mentioned the beginning of last month, beginning of November, about a month ago, that there were already apps that mimicked x ai, which, you know, is another one of these AI companies, this is one of Elon Musk’s companies. And they had just announced they were going to come out with crock, you know, this, like ChatGPT competitor. And there were already x ai fake look like apps in the App Store. Apple did, by the way, remove those pretty quickly after I published my article, so I’m glad to see that at least somebody at Apple was listening.

Push notification read receipts can be intercepted by, among others, governments

Kirk McElhearn 7:05
Okay, really interesting story that came out, governments have been spying on Apple and Google users through push notifications, I had never considered that this was a possibility. But when an app wants to send you a push notification, it has to go through Apple or Google services to be able to contact your device. And your device has to send a read receipt back to the company. And this Read Receipt can contain a lot of metadata, such as your IP address, and potentially other things. Apparently, governments are using this to track down people that either activists are criminals or people they’re looking for.

Josh Long 7:39
One of the bits of data that we know that Apple does get is an acknowledgment that the push notification was received on some device that belongs to you. We don’t know for sure about what other metadata we assume that probably an IP address is likely one of those items. But apparently, according to Senator Ron Wyden, government agencies are asking Google or Apple to let us know what metadata you’ve gotten from these push notifications that you are sending out. Because remember, when an app is sending you a push notification, technically, it’s Apple sending you the push notification on behalf of that app developer. There’s something called the Apple Push Notification Service, A-P-N-S. And that’s what’s actually sending you the notification, not the developer directly.

Is Apple still planning on supporting the RCS messaging protocol?

Kirk McElhearn 8:29
Okay, we recently talked about Apple’s announcement that they would support RCS which is Google’s form of encrypted messaging. sometime next year, let’s assume it’s iOS 18. In the fall of next year. This is partly inspired by the EU looking at Apple as not providing an interoperable service. And so Apple is said, Okay, we’re gonna do this, as you know, because we don’t want to be hassled and all that. It turns out that iMessage is not likely to be governed by the EU’s DMA, the digital markets app, due to small number of users in Europe. Apparently, a lot more people use apps like WhatsApp to exchange messages. And my speculation is that iPhones have lower market share here. So people are more likely to know people with Android phones, if they have iPhones. So they have to fall back on something that’s compatible. In this case, iMessage can’t be seen as having any sort of monopoly or large presence in the market. In fact, if anything, it might be WhatsApp, which has the larger presence which of course is owned by Facebook.

Josh Long 9:28
Right. So this is this is a good thing in the sense that Apple is not going to be forced by a government body to open up iMessage in any sort of way that might potentially compromise security. I would have no problem with Apple having an iMessage app on Android. If they chose to do that. I think that’s totally fine. But it seems like what Apple is doing instead, as evidenced by the recent announcement that they’re going to be supporting RCS a year from now. That apple instead just wants to build Hold in interoperability with Android by adopting RCS because that’s the messaging standard that’s being used on Android devices right now, or at least a variation of RCS. So I think it’s great that Apple is doing that better interoperability with Android, as in the default messaging apps, I think, is a great, great thing. And, you know, I think there are too many complications with trying to get iMessage working properly as if Apple were to open it up as an open standard, right? The problem is in if other developers are trying to implement iMessage, in their third party apps on Android, that would be very complicated and difficult to do in an apple like experience, right? Because remember, iMessage is more than just tap back notifications, the Thumbs Up on a message or things like that. There’s also things like Apple Pay that would potentially need to be supported and the full screen animations of you know, explosions, or confetti or different things like that. There’s a lot of stuff that I really feel like it would be difficult for third party developers to do in a very Apple like way.

Kirk McElhearn 11:10
Yet, there is an app that has brought native iMessage support to Android, we talked recently about Nothing, the phone company that was using a system where you would have to basically give over your Apple ID and password and it worked as a proxy, this one doesn’t. The person who created this reverse engineered iMessage and figured out how to make this work.

Josh Long 11:32
Yeah. Which is really interesting, right, because we saw how Nothing and Sunbird really kind of failed spectacularly at doing this and in any kind of secure way. Well, this company Beeper has actually been around for a while they’ve been doing this, and using the proxy method that we talked about before that sunbird was trying to use. However, Beeper has found a new method by reverse engineering the iMessage protocol. So Kirk, you tried to replicate this on an Android phone that you have what happened?

Kirk McElhearn 12:04
Yeah, I have a Google phone, I bought a Google Pixel six, eight to get to know how the other side lives. And I downloaded the app, I set up the free trial for seven days, it’s 199 a month. And I put in all the information and I got a thing that said something went wrong, please check your network and try again. And I tried again and again and again. And the message came up too quickly for it to be a problem contacting a remote server, which generally would take a little bit longer. So I’m not sure if it has something to do with the network settings of the network that I’m on. Because these things can be quite tricky, right. I emailed the company to see if they can help me find what’s going on. I’ve seen on the Beeper blog, some people commented that they had the same problem. And I’ve seen in an article about this and other people had the problem. So we’ll come back to this hopefully next week, I’d like to know if you really can use iMessage on an Android phone. Just to point out I was able to make phone calls and SMS and all that. So it wasn’t a problem with the phone was accessing the network without any problem. And

Josh Long 13:03
I have seen videos of other people demonstrating Beeper Mini and in showing that it worked for them. So but it may or may not work for everybody, because a lot of people are having trouble with this. And I suspect that it’s probably going to be difficult to get a quick response from their tech support because well, probably millions of people are downloading Beeper Mini on their Android phones right now to try it out.

Has Google started deleting abandoned Gmail accounts yet?

Kirk McElhearn 13:25
Okay, quick reminder, we talked about this about a month ago, Google has started deleting inactive Gmail accounts, they started on the first of December, if you haven’t logged into your account in two years, they will delete your account. Well, they might delete your account, they don’t say they’re going to definitely delete everyone’s account. So what you need to do is maybe make a reminder in your calendar to log into an old Google account once a year. Now I discovered this, as we talked about several weeks ago, when I got an email from Google saying, Well, you’ve got this account, you haven’t logged in. And I don’t even remember having made the account, which I set up in 2003, obviously, to test something for an article. So I did log in to keep it even though I’m never going to use it. But if you do have an old Gmail account, I know a lot of people have multiple Gmail accounts. So if there’s one you haven’t used for awhile, log in once a year. When we come back, we’re going to talk about a really clever, interesting exploit. That fools people into thinking that Lockdown Mode is enabled on their iPhone.

Voice Over 14:32
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

Is Apple’s Lockdown Mode safe from hackers?

Kirk McElhearn 15:48
One of the things about the work we do about security is that every once in a while we come across a story that is so clever that it makes us almost I don’t want to say appreciate what the hackers have done. But it makes us realize that there’s a lot of intelligence going into this and a lot of thought going into coming up with serious exploits is a very serious exploit because we’ve talked about Lockdown Mode in the past. Lockdown Mode is for people who are really at risk. And this could be activists and journalists and people like that. It turns off a lot of features. Of course, Josh uses Lockdown Mode even though he’s not much at risk where he is. But if you think Lockdown Mode is active on your device, you may treat it differently than if you’re worried about someone hacking you a company called Jamf that has an MDM solution for Apple devices, a mobile device management solution. They showed a proof of concept that could fool users believing that Lockdown Mode was activated on their iPhones. Josh, tell us about this first, what is a Lockdown Mode? And what does it do to your iPhone?

Josh Long 16:51
That’s a great place to start. Lockdown Mode is a feature that Apple is designed that allows you to blink it disable a bunch of iOS or macOS features for the purpose of making your device harder to hack. In the past. There have been a lot of these attacks, like we talked about the Pegasus spyware being used against iPhones. So nation state government, you know level threat actors. If they want to break into somebody’s phone, they will send them a message. Sometimes it’s an even zero click message if they found a vulnerability they can exploit where they can just send a message to your device without you having to even click on anything necessarily. Now your device becomes infected with malware that usually is very cleverly hiding in the background and very difficult to detect.

Kirk McElhearn 17:47
So one example of this is a poisoned PDF. If you get a PDF like this and the iMessages app iMessages if it’s not in Lockdown Mode is going to attempt to render the PDF to show you a thumbnail. And at this time, that’s the whole point of zero quick is that during this rendering, it could exploit a vulnerability and install the malware. So what did Jeff find? How did they manage to fool users into thinking that Lockdown Mode is enabled when it’s not?

Josh Long 18:14
The hack that they discovered was that it’s possible to manipulate the way that the Settings app and the Safari browser display information to you to indicate whether Lockdown Mode is on or not? So in a hypothetical scenario, let’s say that somebody thinks that they might have been hacked. And so they think you know what, just to be safe, I’m going to enable Lockdown Mode. So what they would do, they would go through the normal process, they would open the Settings app, and they would enable Lockdown Mode, it would appear that their device restarts. And then even if they go into the Safari browser, it will tell them it with a little banner that Lockdown Mode is on. So by all appearances, at least so far, there’s no obvious indication that Lockdown Mode is not actually on. Now, in this hypothetical scenario, what is actually happened was, the user really was already infected. And what happened was this malware that was on their iPhone was manipulating the interfaces of both the apple Settings app and the Safari browser to show the user that they were actually in Lockdown Mode. And by the way, their phone didn’t actually restart either. It just looked like it was restarting.

Kirk McElhearn 19:39
So when you turn on Lockdown Mode, your phone has to restart. And the reason for this is it’s going to restart without a number of services being active. The kinds of services that make these previews and do all sorts of other things. It’s very important that the phone restart because there’s always a risk if it tries to just kill all the services. They might not all terminate and they might still be active in the background.

Josh Long 19:59
And another really important point here is that if your phone has completely been shut off and turned back on, or if it’s been fully restarted, then usually that clears out most of these types of infections, because they’re memory resident, they don’t have persistence, meaning they’re not going to come back after the phone is completely shut off, and then turn back on.

Kirk McElhearn 20:24
So one exception might be if you get that PDF and the Messages app and you go to that message thread and see the preview, even if you’ve restarted the phone that could potentially reinfect a phone right?

Josh Long 20:36
In your example, if someone has sent you a PDF file that just by iPhone loading the preview of that PDF file, yes, your device could become reinfected after you restart it.

Kirk McElhearn 20:47
Okay, so what really gets me here is that they were able to manipulate the interface elements in Safari, which is one thing, but also in the Settings app, which seems to me a real serious problem. I mean, I can imagine you make a webpage that looks like that, and it says Lockdown Mode is on or whatever. But doing that in the Settings app, that seems like a real serious exploit?

Josh Long 21:09
Well, it’s very important that we back up here a little bit and remind people that in order for this to work, basically, your phone has to already be infected, it’s already got some nation state level threat actors spyware on your device. And it’s that spyware, because it’s able to operate at such a deep level into the operating system, it’s able to manipulate basically, whatever it wants to. That’s how it’s able to do this. Again, this is something that Jamf kind of discovered in their research. So we don’t know for sure that any threat actors are doing this or have done this. But now that we know that it’s possible, we need to be extra careful about how we enable Lockdown Mode.

Kirk McElhearn 21:55
So it’s really important when you enable Lockdown Mode to restart your phone, and this exploit makes it look like it’s restarting. And it might not be enough to just use the normal way of restarting where you press and hold two buttons, and then you slide to thing on the front. Because that too can be spoofed, right?

Josh Long 22:14
Yes, unfortunately. So if you hold down the power button on a device that’s actually infected, you may actually get this slide to power off. And if you do slide it, that might actually be a spoofed message. So even though you think you’re turning off your device completely, it may not actually be turning off again, because that malware wants to stay active and wants to stay alive memory resident. So it will just pretend like your device is being shut off. And then the next time you press the power button, you’ll get the Apple logo and it’ll look like it’s turning back on.

Kirk McElhearn 22:50
How can we trust our devices anymore? I mean, you and me we’re not being targeted, as you like to say nation state level malware. This is targeted to specific people. But how can we trust anything? Is there any way… there really isn’t, is there? T here’s always holes that will be discovered, there’s always weaknesses, there’s always little things, it’s not necessarily the fault of Apple in their software. It’s just that the software is so complicated, that sometimes you can figure out a way around it.

Josh Long 23:18
Yeah. And that’s the great secret. Unfortunately, not all of us. In fact, none of us not a single person on the planet is going to be going and mining their own silicon, and creating their computer from the ground up and analyzing every component to make sure and even if you did all that you’d have to have your own custom operating system (And your own custom internet). Yeah, oh, well, and you’re connecting to the internet too Yeah, at some point or other, you’re gonna have to trust somebody else with something. So basically, all we can do is do the best that we can with what we have.

Kirk McElhearn 23:54
Okay, so one thing that you can do, if you think your phone might be infected, you need to restart your phone, but not using the normal method that we just talked about. There’s a way of force-restarting your iPhone. And as we were talking before the show, I remembered that once I had a problem with my iPhone, and I was on a call with Apple support, and they had me do this, pushing a bunch of buttons. It was the first time I’d ever heard of it. We’re going to link in the show notes with Apple support document. But Josh, go through the process here.

Josh Long 24:22
Okay, so you’re going to tap the Volume Up button, tap the Volume Down button, and then hold down the power button until you see the Apple logo. And then eventually your phone’s going to restart. And that is a hard-reset so theoretically there should be no way that malware can fully spoof that.

Kirk McElhearn 24:42
Yeah, I think what happens here is that this is something that’s in the firmware of the phone just as you have a recovery partition on a Mac, something that is not in the operating system, and it cannot be violated by malware. So this is the way to make sure that you’re restarting. You’re not getting spoofed, you’re not getting tricked. I remember a time I had to do this on the phone with Apple, it took me three tries to get it right, because it’s unnatural to press and press and then press and hold and all that. But it’s it’s good to remember that if you do think that your device is infected, or if you have any problems with your iPhone, you can’t turn it off. Try to do this because this boots it, I want to say it clears out everything and reboots, it is a little bit different than a normal restart. In fact, it’s probably what you would get if you took the battery out of your iPhone and waited and put it back in. But since you can’t take the battery out, this is your only choice. So Josh is going to do this in real time and time how long it takes, it’s not that long, it’s just you got to press the buttons kind of quickly.

Josh Long 25:38
It takes about 15 seconds, maybe a little longer than that, let’s say 20 seconds, from the time that you tap up down, and then hold the power button until you actually get the real Apple logo. So I would say give it at least 20 seconds of holding that power button down.

Kirk McElhearn 25:54
Okay, so we’ve talked about the fake Lockdown Mode, and we’ve talked about the force restart. But how can you check to see if Lockdown Mode is really enabled on your device.

Josh Long 26:05
What I would suggest is if you’re going to do this test, you have to make sure that your device has been hard reset. So do that first. That’s step number one. The next step is to load a PDF in the Safari browser. To make this a little bit easier for you. If you go to the show notes at podcast.intego.com. Click on the show notes for episode 321. That’s this episode. And we’ll have a link to a PDF on the Intego website. This is a white paper that I wrote a few years ago about Mac malware attribution, so you know it’s safe. When you tap on that link. If the PDF loads in the Safari browser, that means Lockdown Mode is not on.

Kirk McElhearn 26:45
Okay, you can use any PDF, but Josh just wanted to do that to have a link in the show notes. If you want to try it right now if you’ve got Lockdown Mode on right now and you want to try it, you can use that file, but you can try any PDF. There are a number of other things that locked down mode blocks, we’re not going to really go through them. But a PDF is the best way to test. So we’re going to keep our eyes on this and see if Apple issues of fix for this. I certainly hope they do. I would assume that they will credit GIMP for finding this when they issue the fix. It’ll be interesting to see how long it takes because this is a very serious vulnerability that could have serious effects for let’s say the handful of people who use Lockdown Mode, but for whom it can be extremely serious. Alright, until next week, just stay secure. All right, stay secure.

Voice Over 27:31
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts or subscribe in your favorite podcast app. And if you can leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast@intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com

Share this: