How criminals clear your stolen iPhone for resale

Criminals have dedicated themselves to compromising iCloud accounts to wipe clean stolen devices using a set of interesting tools.
Written by Charlie Osborne, Contributing Writer
File Photo | Public domain

Mobile devices, being valuable, expensive, and both thin and light enough for sticky fingers, are a constant target for thieves worldwide.

Smartphones and tablets are an investment and over time they have become a key to our digital kingdom with connected email accounts, social media, and cloud services -- rendering their value not only in the hardware itself but also as a potential way to compromise your personal security and hijack your digital identity.

Technology vendors have recognized this and on most major platforms, you can find apps and services to remotely track and wipe devices if they are stolen or go missing -- such as Apple's Find my iPhone service in the cloud and Google's Find my Phone service, which can track your device through GPS, lock the screen, or brick the device remotely.

However, not everyone knows of or uses these systems and there is still a vast market out there for stolen goods. But what happens when your iPhone is stolen? Where does it end up -- and how is it cleared for resale?

These are the questions that on Tuesday, researchers from Trend Micro have attempted to answer.

In May 2016, the team stumbled upon an operation in which threat actors were offering tools and services to break open iCloud accounts and unlock stolen iPhones.

Investigating further, Trend Micro found that at the core, the attack chain harnesses a victim's panic to take over these devices.


The first step is to send a spoofed Apple email or SMS message, notifying the victim that their device has been recovered. No doubt desperate to get their device back, the victim then clicks on a link which requires their iCloud account credentials.

These stolen details are then used to access and compromise the iCloud account and re-used to unlock the stolen iPhone -- cutting off the potential of remotely tracking the iPhone or bricking it entirely.

"These Apple iCloud phishers run their business using a set of cybercriminal tools that include MagicApp, Applekit, and Find My iPhone (FMI.php) framework to automate iCloud unlocks in order to resell the device in underground and gray markets," the researchers say.

The team explored three such services online and found that while they had a global customer base of thieves, they also rented out servers to send phishing messages. The groups behind these services appear to be based in Kosovo, the Philippines, India, and North Africa.

Once a tool has been purchased, the target iCloud account can be hijacked, content downloaded for other malicious activities, and also deleted outright.

It was often the case that all three major exploit kits, MagicApp, Applekit, and Find My iPhone -- an FMI.php framework which impersonates the legitimate Apple service -- would be in use at the same time.

Some of the code present in these tools are also hosted on an open GitHub repository.

Attackers are notified by email when a phishing attempt is a success. If a victim falls for the phishing campaign and enters their credentials on the fraudulent page, iCloud information including cell phone numbers, passcode length, ID, GPS location, and the answer to whether a wipe is currently in progress is grabbed by the attackers.

While the FM1.php script provides phishing capabilities, Applekit creates a network of hijacked devices, and MagicApp automates iPhone unlocking.

Once unlocked, the software can also be used by attackers to send phishing messages and set up fake GPS locations for stolen devices, which may further dupe a victim into believing their device had been found.

Together, the tools can be used to cut off Apple's services, clear the stolen device of any link to a previous owner, and ready the iPhone for resale in other markets.

"Just as the internet has evolved the way information is accessed and how businesses are conducted, it has also blurred the face of crime," Trend Micro says. "It's no longer confined to the brick-and- mortar theft. The online tools we've seen show how traditional felony and cybercrime can work concertedly-or even strengthen each other."

If you buy a secondhand device, you should check it has not been blacklisted or stolen so you are not inadvertently funding these kinds of operation. In the US, you can use the CTIA website to check a device's IMEI to make sure it has not been reported lost or stolen.

There are no vulnerabilities or bugs being exploited to conduct these criminal campaigns, but Apple has been made aware of the research and may be able to use this information to improve its tracking and remote locking services.

The 10 step guide to using Tor to protect your privacy

Previous and related coverage

    Locky ransomware used to target hospitals evolves

    The malware's authors have added a few new tricks to avoid detection.

    IoT devices are an enterprise security time bomb

    The majority of enterprise players cannot identify IoT devices on their networks -- but that's only the beginning.

    Ethereum user accidentally exploits major vulnerability, locks wallets

    Wallets are frozen while Parity works on a solution.

      Editorial standards