SIDENOTE: This post was originally published in September 2016. But we gave it an update in August 2019.
YOUR APPLE DEVICE HAS A VIRUS (Apple Scam) is a common fake tech support scam that is being distributed in an active distribution campaigns. Various criminal collectives throughout the years have been known to use it. Our article gives victims information on removing active infections from their Mac OS X computers.
|Name||YOUR APPLE DEVICE HAS A VIRUS|
|Type||Phishing scam, Fake Tech Support message|
|Short Description||An Apple scam that combines a virus deployment with a fake tech support criminal scheme.|
|Symptoms||The victim users will be shown a fake tech support Apple scam message.|
|Distribution Method||Bundled downloads, malicious scripts and other methods.|
|Detection Tool|| See If Your System Has Been Affected by YOUR APPLE DEVICE HAS A VIRUS |
|User Experience||Join Our Forum to Discuss YOUR APPLE DEVICE HAS A VIRUS.|
YOUR APPLE DEVICE HAS A VIRUS (Apple Scam) – How Did I Get It
Security reports indicate that there is an ongoing campaign delivering the YOUR APPLE DEVICE HAS A VIRUS (Apple Scam) phishing threat. This is a common scheme that is being used by several hacker collectives at once with slight modifications. The main method of delivery is the creation of fake web sites. They use stolen elements from well-known sites and services that the targets may use on a regular basis. Through various scripts the users can be made into victims — pop-ups, banners, redirects and in-body links.
The messages can also be distributed in email messages that are sent in bulk in a SPAM-like manner. They are designed so that they look like notifications sent by legitimate companies. When they are opened by the victims YOUR APPLE DEVICE HAS A VIRUS (Apple Scam) may be displayed directly. In other cases it can be linked by hyperlinks or other interactive elements.
The main goal of the threat is to persistently display fake warning messages. As such other techniques can also be employed. An example is the inclusion of the Apple Scam in the two most popular infected payloads:
- Documents — The hackers can produce macro-infected documents (text documents, spreadsheets, databases and presentations). When they are opened by the victims a warning message will ask them if they want to enable the built-in scripts. If the users agree then the infection will begin.
- Infected Software Setup Files — Through malicious application installers the criminal operators behind the Apple scam can distribute the threat. This is a method that is popular mainly with viruses. The hackers modify the legitimate installers of popular software with the virus code by choosing popular choices: creativity suites, productivity apps and system utilities.
Scams like this one can also be spread using browser hijackers. They are malicious web browser plugins that are made for the most popular applications: Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer and Microsoft Edge. They are most often found on the associated extension repositories with fake user reviews and developer credentials. When they are installed by the victims the built-in commands will reconfigure the browsers to redirect the users to a hacker-controlled page. The next step is to deliver the virus infection to the hosts.
YOUR APPLE DEVICE HAS A VIRUS (Apple Scam) – More Information
Upon installation of the malware code the victims will receive a malicious pop-up in an application frame or browser window with the title “PEGASUS SPYWARE ACTIVATED”. Its contents reads the following:
** YOUR APPLE DEVICE HAS A VIRUS **
Apple iOS Alert!!
Error # 268d3
PEGASUS (SPYWARE) ACTIVATED
System might be Infected due to unexpected error!
Please call Apple Care immediately at:
Do not ignore this critical alert.
If you close this page, your Apple Device access will be disabled to prevent further damage to our network.
Your Apple Device has alerted us that it has been infected with a virus and spyware. The following information is being stolen…
> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this Device
You must contact us immediately so that our engineers can walk you through the removal process over the phone. Please call us within the next 5 minutes to prevent your Apple Device from being disabled.
Depending on the version of the threat the text may be accompanied by a wallpaper change, music and other rich text media which can further coerce the victim to the scam.
The tech support support scam element blackmails the users into thinking that they need professional help to remove the threat. This is not the case as the virus code is created to extort money via this social engineering trick. Victims should only trust а legitimate cleaner utility.
In some cases the infections may cause other damage to the victim hosts which is why the victims will need to use it. This is not a spyware virus, but a fake message that can be used by the operators to carry out multiple malicious actions:
- Files Access — The criminals can retrieve files found on the infected machines.
- Trojan Module — The remote instance can set up an encrypted connection to a hacker-controlled server. It can be used to spy on the users in real-time and deploy viruses.
- Applications Monitoring — The scripts can monitor the currently running applications for the startup of security software and close them. Only a proper cleaner tool will be able to bypass this protection.