I get a pop-up window asking "Do you want to download "occ" in my Safari browser

Try loading an ad blocker, and adjust its settings to both allow you into the intended website, and to block this occ download request.

Looking into this occ topic again, a newspaper website had a discussion (with no more details than anybody else has about this), and that webpage itself amusingly served up the occ download.

I’d expect this is some rubbish being served from an ad network somewhere.

Ad networks are too often flaming security trash-fires, unfortunately.

Try an ad blocker.

Bill Bradford wrote:

Mac Jim ID wrote:

There is no executable that you can download no matter if there is a prompt for it or not. You will not be installing Malware on the iPhone or iPad.

Do you have any external citations to support this belief?

Among other details, iPhone apps are code-signed, which constraints which apps can run.

Side-loading is a means to bypass the app store code-signing process, and is used by developers to test apps, but that side-loading requires specific steps to enable execution.

Apple that bypass all of iOS security including code-signing are rare, exceedingly expensive, variously complex, and — based on available evidence — the usage of these exploits has been targeted.

Rare? I’ve seen reported (but have yet to confirm) that no (public) kernel exploits have been found in iOS 17. (Older hardware gear with A11 and earlier has exploits.)

Not cheap? Exploit offers can be millions of dollars, for the exploit itself.

Complex? The weird machine that NSO used to target iOS versions prior to 14.8 is exceedingly clever:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

Targeted? Senior in government or private, with access to great wealth, with access to sensitive or classified data, political dissidents, investigative journalist, those associated with militaries involved in conflicts or espionage, in business or personal relationships with or serving as an annoyance to exceedingly wealthy folks? That seme like you? Maybe get some more specific help?

As for occ stuff, this isn’t the first time some ad network has tried offering something weird. See if an ad blocker blocks this, or block traffic to *.analytics.yahoo.com if thenad blocker allows that.

If you’re particularly concerned or a potential target, I’d suggest getting newer hardware, and getting specific assistance with your security, and potentially enabling features such as Lockdown Mode.

Related: About Apple threat notifications and protecting against mercenary spyware - Apple Support

I have been experiencing the same in the past 24 hours. My iOS was 17.6.1 . I subsequently updated to 17.7 and immediately to 18. Prior to updates, I deleted my web history and cookies several times and it didn’t work. I suspected by trial and error that when I was on APNews & scrolled to any ads that was served by Taboola, it triggered the pop ups. I blocked Taboola by adjusting the settings at parental restrictions. So far, I haven’t experienced any popups

Muddville wrote:

Same circumstances (very recent upgrade to iOS 18), same results, multiple times. Not exactly what I was expecting from an “upgrade.”

As you can see, it is currently happening on multiple versions of the OS, not specific to iOS 18. Users have also posted:

• Happens most frequently on news sites
• Happens using Chrome as well
• Some reported blocking Taboola ads using screen time restrictions worked
• Some reported using Ad Blocker worked

We will have to wait for a solution or at least what the website is wanting you to download. The good news is that an executable file cannot be downloaded to an iOS device, so even if it is Malware, it will not run.

I spoke to Sean (Shawn?), a helpful Apple Support rep yesterday. He said it sounds like an ad-related issue (as has been postulated here). He confirmed it's a zero-byte download, can't hurt if we downloaded it previously, by mistake or otherwise. He advised not downloading, either by "X"ing out or backing out of the page and then closing it (my preferred method, as I'm super-suspicious of even clicking the prompt's "X").

He also advised contacting the web site(s) where we see it, to advise them of the problem so that it gets fixed.

Personally, I haven't had this issue for the past almost two days, so I think web site admins and/or ad folks have figured out it's a problem and now have - or are getting - a handle on this scary thing.

Here is the solution:

[1] Download the “AdGuard” iOS app

[2] Navigate to: Settings —> Safari —> Extensions

[3] Turn on ALL seven of the AdGuard extensions

[4] Problem Solved :)

Hi guys. I think I have a clue here. A fez days ago I activated private relay in iCloud configuration. After this the popup start showing here. I think there some issues relates to ads. I deactivated this option and popup stop here.

Please check this.

I cleared my history and website data and I stopped getting the pop up. I was also getting a black pop up screen on my iPad telling me to rotate my screen. This too stopped occurring after I cleared the history and website data.

Mac Jim ID wrote:

There is no executable that you can download no matter if there is a prompt for it or not. You will not be installing Malware on the iPhone or iPad.

Bill Bradford wrote:

Do you have any external citations to support this belief?

• Unlike other mobile platforms, iOS and iPadOS don’t allow users to install potentially malicious unsigned apps from websites or to run untrusted apps.
• At runtime, code signature checks of all executable memory pages are made as pages are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.
• After an app is verified to be from an approved source, iOS and iPadOS enforce security measures designed to prevent it from compromising other apps or the rest of the system.

Intro to app security for iOS and iPadOS - Apple Support (CA)

• After the iOS or iPadOS kernel has started, it controls which user processes and apps can be run. To help ensure that all apps come from a known and approved source and haven’t been tampered with, iOS and iPadOS require that all executable code be signed using an Apple-issued certificate.
• Mandatory code signing extends the concept of chain of trust from the operating system to apps and helps prevent third-party apps from loading unsigned code resources or using self-modifying code.

App code signing process in iOS and iPadOS - Apple Support (CA)

• All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device.
• Each app has a unique home directory for its files, which is randomly assigned when the app is installed. If a third-party app needs to access information other than its own, it does so only by using services explicitly provided by iOS and iPadOS.
• System files and resources are also shielded from the users’ apps. Most iOS and iPadOS system files and resources run as the nonprivileged user “mobile,” as do all third-party apps. The entire operating system partition is mounted as read-only. Unnecessary tools, such as remote login services, aren’t included in the system software, and APIs don’t allow apps to escalate their own privileges to modify other apps or iOS and iPadOS.
• Further protection is provided by iOS and iPadOS using ARM’s Execute Never (XN) feature, which marks memory pages as nonexecutable.

Security of runtime process in iOS and iPadOS - Apple Support (CA)

You simply cannot download any file on the internet and run it. The System files cannot be changed as they are all Read Only. Any app that is allowed to run on the OS must be signed by Apple and Developers must be registered with Apple where the app also contains their Developer ID. Apps are sandboxed without any access outside of their Home folder.

This is the OCC installer for Opkey.

I started getting it after upgrading g to iOS 18.

do not install OCC. HIT THE “X”

I blocked using adguard.

Install the Adblock app and in settings, click allow on all six Adblock features. I did it this morning and the week long OCC reign of terror is over. Try it!

So, I have spoken to the escalation team. They were able to see it happening real time on my device. They are bumping this up to the engineers. It hapoens on Chrome and Safari. News type sites. Post iOS 18 update.

There’s nothing that basic troubleshooting can do so PLEASE DON’T FACTORY RESET IF A SUPPORT PERSON TELLS YOU TO RIGHT NOW. 😨

They were largely unaware of the problem because I’m assume the gross majority of people did not reach out to them. (I did show them the number of folks here via screen-share).

I will be contacted on Tuesday after the engineers have taken a tinker. Hopefully they can fix it fast.

I was given a direct contact to the escalation team member in case something else pops up.

So! Until then the directive from Apple is: Do not download anything from a pop up, avoid those news sites for the time being if you can. (Don’t wanna accidentally click).

I’ll loop back Tuesday. 👋🏽

I was having the same OCC issue. popping up multiple times. Mainly on news sites.

I cleared my website data, restarted my iPhone and it seems to have fixed the issue.

(Settings- Safari-Advanced-Website Data)

Running iOS 17.7 on iPhone 15.

I will update this post if it starts back up.

Guitartrooper wrote:

A problem this widespread should have been discovered during functional and regression testing before the new software was rolled out. Apple should not be relying on users to report problems like this.

As others have reported here, it also happens on iOS 17 and even older versions such as iOS 16.5 that have not been updated. Since Ad blockers seem to stop it, the issue appears to be a problem originating from a specific Ad network. The big 3 are Google, Facebook, and Amazon. I suspect that the problem ad will be identified by the Ad service and will be removed and it will go away just as fast as it appeared.

Double check your Safari Settings, my "Block Pop Ups" Button was set to Off - also recently updated IOS so that might have something to do with it.