Malware on iPhone and Android

White Heart Loon

Just bringing it you your attention, have a mate with this happening on a non jailbroken iPhone

http://www.vft.com.au/computer-forensics/redirection-of-internet-activities-to-linkbucks-on-iphone-android-handsets/

syklops

Last weekend our director of forensic technology, experienced an unusual and complicated problem on his iPhone. This is how he explained the issue:

“Whilst at home on WiFi, whenever I would access a URL posted into a tweet, instead of taking me to actual link I would get redirected to a website called “LinkBucks”.

I have an iPhone 5 so I deleted the twitter app and re-installed it, but this didn’t fix the problem as the redirection was still in effect. I used other apps to access the internet and also no redirection there, even from apps that often have URLs posted (e.g. Facebook). I even changed the password on my Twitter account to no avail. There wasn’t really much help on the internet to fix the error so I began a process of elimination to detect the cause of the virus.

I used my home laptop to log in to my twitter account, using WiFi, and there was no apparent redirect. I also could not identify any other apparent redirection of internet activity from my home computer, which has AVG Anti-virus installed.

I then turned off WiFi and used the cell network (3G / 4G) to access twitter on my iPhone and now noted that there was no redirection. Once I reactivated wifi, the Twitter redirection to the “LinkBucks” website resumed. I decided to take the “nuclear bomb” approach and completely reset my modem using the small switch on the rear of the modem itself.

I then accessed the modem and changed the login password (default is the usual admin/admin), changed the SSID and then re-entered in my ISP’s recommended settings. This has now fixed the problem for me.

I can only think that my children may have somehow clicked on a link from one of the so-called free games that they play on my iPhone. I haven’t seen a re-occurrence of this problem and hopefully that’s fixed it for good.”

Although resetting the WiFi router settings has fixed this problem for now, we strongly suspect that the real source of this issue is a malicious code that has attached to one of the apps running on this iPhone. This code appears to be changing the DNS settings of the main WiFi connection and therefore all the name resolution traffic goes to a third party (unsecure) name server and from there all the traffic for Tweeter is redirected to “LinkBucks”.

I think the resetting of the WiFi router fixed this problem, just because it changed the SSID (network name) of the wireless network and therefore the iPhone had to disconnect from the previous faulty WiFi connection and connect to this new wireless network with correct DNS server. However, if this malicious code is still active on Dan’s iPhone, after a while, it could infect the new WiFi connection. The only way to completely fix this problem would be to identify the app that has this harmful code attached to it.

In the meantime, if you are experiencing a similar problem on your handset and don’t want to reset your Wireless router, go to your WiFi settings on your handset and, based on the type of handset you’re using, do one of the following:

- iPhone users: tap on the round blue information icon (i) on the right hand side of your active WiFi connection > tap on “Forget” button.

- Android users: tap and hold on your active WiFi connection > select “Forget Network”

Now connect to the same WiFi network again (you need to enter your WiFi password again). By following these steps, your phone resets the DNS setting of your WiFi Connection and hopefully fix the redirection issue.

If you are still experiencing the redirection problem after resetting your WiFi connection on your phone, change the SSID (network name) of your wireless router.

We will keep you posted if we are able to identify the source of this problem.

Pasting blog post here for people on phones.

I used my home laptop to log in to my twitter account, using WiFi, and there was no apparent redirect. I also could not identify any other apparent redirection of internet activity from my home computer, which has AVG Anti-virus installed.

I then turned off WiFi and used the cell network (3G / 4G) to access twitter on my iPhone and now noted that there was no redirection. Once I reactivated wifi, the Twitter redirection to the “LinkBucks” website resumed. I decided to take the “nuclear bomb” approach and completely reset my modem using the small switch on the rear of the modem itself.

To be honest, I would have hoped that the Director of Digital Forensics, would take a forensic approach and actually figure out what caused the redirection, instead of taking the "nuclear bomb" approach, and simply fixing the issue and then theorising what caused the issue.

God forbid he might fire up a packet sniffer or look at some log files.