14 Replies Latest reply: Nov 5, 2010 3:44 AM by Julian Wright
Bojutsu Level 1 (0 points)
My iPhone appears to have been infected by a virus and seems to have been part of a botnet.
How can I remove the malware and prevent this in the future?
Thanks for any pointers. Details below.


My unjailbroken iPhone 3GS running iOS 4.0 and later 4.1 exhibited some suspicious behavior which I noticed because I started to get text messages from my cellular provider for three months in a row notifying me that my contract's volume limit had been exceeded and my transfer rates would be capped. My browsing activity is restrained and a traffic increase was surprising.

After resetting Usage stats on the iPhone, I noticed that outgoing traffic was 10X the volume of incoming traffic. High rates of traffic (ca. 6MB per hour outgoing) seemed to be occurring even when the phone was not in use. After watching this for a few days I felt something was fishy.

To eliminate legitimate communication as a traffic source, I then did: (a) in "Fetch New Data" I disabled Push and set fetch to "manually", (b) I disabled all e-mail accounts, (c) I turned notifications off, (d) I turned WiFi off, (e) reset all usage stats, (f) restarted the phone.

Now, with no apps running and no push/pull activity permitted, the phone should have been silent. Instead, starting about 15 seconds after reboot, the phone started sending data. The rate was not constant, but within seconds of entering the stat screen you'd see about 250kB sent and about 10kB received. The send rate averaged ca. 6 MB / hour, but activity was intermittent. All this data was sent over the cellular connection, so the carrier cutoff was not surprising.

Next I went into Airplane mode to disable the cellular collection and reactivated WiFi. With the help of a friend I connected the phone to a router which intercepted and suppressed outgoing traffic. The router was able to log only IP addresses, but no content. Within a 5 minute period of logging, we discovered a range of connection attempts to various hosts, some of them potentially legitimate and some suspicious. The legitimate addresses were all Apple push servers, like nwk-st-courier037-05.push.apple.com. Not sure why the phone would contact them if push and notifications are off, but whatever.

Then there were three blocks of suspicious IP addresses the phone contacted within the monitored ca. five minute period around 2010/09/24 13:18:06:


Via dnstools.com this turns out to be an IP managed by ARCOR / Vodafone D2 GmbH in Germany. A Google search on the IP provides a few listings, including a few in forum posts about viruses and trojans. Via dedicatedornot.com there is an indication that the IP belongs / belonged to fotolog.com, apparently a rather popular photo sharing community. I have never used the web site or heard about it, so this seems suspicious.

(B) ec2-184-73-255-2.compute-1.amazonaws.com ec2-184-73-254-162.compute-1.amazonaws.com

This seems to be a server in Amazon's cloud service. No idea what the service is.

(C) ew-in-f101.1e100.net ew-in-f100.1e100.net ew-in-f102.1e100.net

These addresses belong to Google. Put them in a browser and the Google main search page comes up. Why would an iPhone running no apps contact the Google main search page?

Just to clarify: the iPhone is NOT and never was jailbroken and all apps I use were downloaded from the Apple app store. 

Maybe this means nothing and there is a perfectly valid explanation for why my iPhone would contact these web sites even though no apps were running and all communication settings were turned off. Nevertheless, it would be quite nice to know what had happened.

iPhone 3GS, iOS 4
  • wjosten Level 10 (94,210 points)
    Since your phone is not jailbroken, there is absolutely no way to install any virus or malware on your phone.

    Regarding your usage problems, have you tried the basics from the user guide?

    1. Reset
    2. Restore from Backup
    3. Restore as New
  • Bojutsu Level 1 (0 points)
    Hi wjosten, thanks for the quick reply.

    I understand that one would consider an unjailbroken phone to be relatively safer than a jailbroken phone. However, it is not impossible in principle to infect an unjailbroken iPhone with a virus. Visiting a malicious website, installing a malicious app, drive-by infection via Bluetooth etc. all appear as potential avenues for infection.

    Your recommendations regarding how to potentially get rid of the problem are also useful. However, I am not primarily concerned about the traffic volume; I am most concerned about the vulnerability of the phone. I am actually kind of worried because the traffic has in the meantime already stopped. I tracked the data rates for three days before working with a software developer to generate the router log. After recording the log, he suggested to enable certain internal logging mechanisms on the iPhone by activating it as a development device via Apple's developer software (not sure what exactly that means). I also installed the iPhone app "aMonitor" in the hope of identifying the culprit app (to no avail). After doing that, the high rate of outgoing traffic continued for a few hours, and then stopped. Completely. Within hours of our attempt to nail down the cause of the traffic, it stopped completely and permanently. I performed no software upgrades and made no unusual configuration changes other than installing the monitor app and eventually re-enabling push etc. After probably about three months of activity the suspicious traffic suddenly stopped.
  • wjosten Level 10 (94,210 points)
    it is not impossible in principle to infect an unjailbroken iPhone with a virus.

    It is in fact impossible to do so, as nothing from any web site can be installed on a non-jailbroken iphone.
  • Bojutsu Level 1 (0 points)
    Hi wjosten, I'm not sure why it should be impossible, even though Apple clearly does not provide a legitimate path for it. Isn't even a jailbreak possible by visiting a website? It seems safer to assume that every complex computing device has security flaws, known and unknown, that can be exploited by an attacker. Anyway, something fishy seemed to be happening and I need help in finding out what it was. Thanks for your responses, though.
  • Julian Wright Level 7 (34,860 points)
    Isn't even a jailbreak possible by visiting a website?

    No. Unless your phone OS is out-of-date. That particular vulnerability was fixed.

    If there was any virus that could affect the iPhone, you would be reading about it on every Mac, iPhone, gadget and security web site on the planet. It would be huge news. Given the high media status of the iPhone such news would likely be reported on every major news outlet too such as BBC, CNN etc.

    There is no way you could miss such a big discovery. As this isn't happening, your iPhone does not have a virus. Do not confuse the iPhone with a Windows PC.
  • Bojutsu Level 1 (0 points)
    You may well be right. But it would seem reasonable to assume that before any report on the BBC you would see a thread like this one on this forum, wouldn't it?

    But let's assume simply that we don't know what the cause of the sispicious behavior is, which is the truth. At this point I would hope for some insight into why the traffic that I posted would occur and why it is really quite harmless. Why would an iPhone running no user apps talk to Google, the Amazon cloud and a random photo website I've never heard of? Probably benign. Maybe a botnet. I'd like to know.
  • wjosten Level 10 (94,210 points)
    Fact: You don't have a virus.

    Fact: Most likely something in the OS on your phone or an app is corrupt causing the situation you're experiencing.

    Restore from your most recent backup, followed by syncing your content back to your phone. Note: if your problem is being caused by corrupt data on your phone, doing this will merely restore the problem. If no change:

    Restore as a new device. This will delete all data on your phone. Follow by syncing your content back to your phone. If no change:

    Make an appointment at an Apple store, you may have a hardware issue.
  • Bojutsu Level 1 (0 points)
    Hm. Without further investigation it is not possible to call much else than the observations in my initial post a fact. I totally agree that a virus would be unlikely and therefore surprising, but certainly not impossible. Anyway, I acknowlege and appreciate your efforts to make the problem go away, but at this point I am looking for some helpful ideas on tracking down the targeted sites and contacts to folks with a computer security background.
  • deggie Level 9 (52,719 points)
    Since you are firmly convinced, without any evidence, that your iPhone has a virus I would contact Apple Technical Support directly and have them look at your iPhone.

    The reason everyone keeps telling you it is not a virus is you can only install an app to your iPhone through the Apps Store and Apple does check these apps. Other than that there is no disk mode on a non-jailbroken phone so there is no way for a web site, app, BT "drive-by" (there is no FTP BT profile on the iPhone) to write anything to your iPhone.

    It is logical that your iPhone would attempt to contact vodaphone if that is who you have service with, Google, since the Google maps app is on your iPhone. Do you have the Kindle app on your iPhone? That would explain Amazon.
  • Allan Sampson Level 10 (123,405 points)
    Many Windows users lump everything in this regard as a virus. Malware is more likely in this situation than a virus. The definition of a virus includes the ability to spread virally from computer to computer or from device to device without the infected user's knowledge. There are no viruses that infect or affect OS X which is UNIX based and has been available for 10 years now - not one in over 10 years. Doesn't mean it will never happen but the record so far is pretty good and the iPhone runs an optimized version of OS X. All apps are sandboxed on the iPhone.

    http://developer.apple.com/library/ios/#documentation/Security/Conceptual/Securi tyOverview/Security_Services/Security_Services.html%23//appleref/doc/uid/TP30000976-CH204-CHDDJIDG

    A common way for a hacker to gain control of a system is to exploit a buffer overflow in a running program. A buffer overflow occurs when a program does not validate its input and accepts more data than can fit in the memory that the program reserved for that data. The data then overwrites memory owned by the system or by some other program. In some circumstances, the hacker can insert executable code directly into memory this way; in other cases, the hacker can cause a jump of execution to another location in memory.

    In iOS, every application is sandboxed during installation. The application, its preferences, and its data are restricted to a unique location in the file system and no application can access another application’s preferences or data. In addition, an application running in iOS can see only its own keychain items.

    *Because every iOS application is sandboxed, your application’s data and preferences cannot be read or modified by other applications, even if they have been compromised by an attacker. If your application is compromised, the attacker cannot use it to take control of the device or to attack other applications.*
  • Bojutsu Level 1 (0 points)
    Hi deggie, thanks for your reply. As you can see from my comments, I am not at all convinced that my phone has a virus and I readily acknowledge the unlikeliness of this being the case. But so far I am also not convinced that it does not have one, and prior answers were not particularly helpful in that respect. The answer "it cannot happen on an iPhone" is clearly inaccurate. Jailbreaking via a website and the recent SMS vulnerability seem to be obvious examples of security gaps on the iPhone. I understand that there have also been vulnerabilities in apps in the app store, which makes sense since Apple has no source code for the apps and even with source code they could not necessarily catch all malicious code. Realistically one should assume that there are dozens if not hundreds of these that have simply not been uncovered.

    Vodaphone is not my provider and I do not have the Kindle app.
  • Bojutsu Level 1 (0 points)
    Hi Allan, thanks for this answer, which I found helpful. I am aware of the distinction between a virus and malware, and you are of course right that it could be some other form of malware. The fact that apps are sandboxed is interesting. I wonder if there are no exceptions to this though - consider the SMS phone hijacking recently. I guess I need tom identify the nature of the traffic to Google, Amazon EC2 and Vodaphone (not my provider). Probably everything will turn out to have a valid reason. I was hoping that someone from Apple would be able to identify the nature of the traffic.
  • deggie Level 9 (52,719 points)
    Then as I said earlier you should contact Apple and have them assist with your endeavor.

    I was under the impression that Apple did have access to the source code for all of the apps in the App Store. Where did you hear otherwise?

    I know of no vulnerabilities in the App Store and the other items you mention, which were not viruses, have been patched.

    No one here can definitively answer your question so it is pointless to continue. Contact Apple.
  • Julian Wright Level 7 (34,860 points)
    I was hoping that someone from Apple would be able to identify the nature of the traffic.

    Not here, as this is a user-to-user forum.