Newsroom Update

Apple is introducing a new Apple Watch Pride Edition Braided Solo Loop, matching watch face, and dynamic iOS and iPadOS wallpapers as a way to champion global movements to protect and advance equality for LGBTQ+ communities. Learn more >

Announcement

Introducing the iPad Pro with Apple M4 chip, the redesigned iPad Air in two sizes, and the all‑new Apple Pencil Pro. Watch the event >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: bobbpix
bobbpix Author
User level: Level 1
9 points

My iPad and iPhone transfer malware to my PC.

My iPad and iPhone transfer malware to my PC whenever I sync or backup. These are browser redirects and other unwanted programs. KipodToolsCby, FakePDF and Upatre.AA. How do I get rid of them from my ios devices? My anti-malware on my PC (Malwarebytes and Windows Defender) catches them, but i don't want to keep transferring them to my PC. I don't believe they are hurting my ios devices, but I'd like to purge them so as to not potentially put my PC at risk. I likely have some infected word or PDF files on my iphone/ipad, but how do I find out which are the rogue files? Thanks. It also seems like the App store had some of the anti-virus programs removed and I've had bad experiences with McAfee and Norton.


The malicious files are always found in my AppData\Roaming\Apple Computer\MobileSync\Backup\ and always occurs during the backup phase of my ios sync.

iPad Air, iOS 8.4, null

Posted on Jul 31, 2015 12:21 PM

Reply
Question marked as Best reply
User profile for user: Briansyddall
Briansyddall
User level: Level 7
25,521 points

Posted on Jul 31, 2015 12:41 PM

Hi

You CANNOT get malwear on iphones/ ipads unless

They have been jailbrooken

Go to settings - Safari clear History / Cookies.

If you still have a problem Restore to Factory Settings

Use same Apple ID to get your Apps & Data back

Do yhis over your WiFi .

Cheers

Brian uk

View in context
30 replies
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Aug 1, 2015 4:36 AM in response to bobbpix

bobbpix wrote:


I'm curious as to why people think it's safe to assume these are false positives and that i can just ignore alerts that two programs are dertermining to be malware.


They probably aren't false positives. Most likely, you have e-mail messages with malicious - or potentially malicious - messages or attachments. These are being backed up to the computer when you back up the devices. These things cannot harm your PC unless you go digging through your iPhone or iPad backups in Windows and start trying to open files in them... that's something that there would be no reason whatsoever for you to be doing.


It's more important for you to make sure to clean up your e-mail. You're far more likely to get infected by opening these messages on your PC.

Reply
User profile for user: deggie
deggie
User level: Level 10
167,183 points

Aug 1, 2015 4:43 AM in response to bobbpix

If your malware is scanning the backup file on your computer and coming up with 3 virus hits it is almost certainly a false positive as the file by itself is not readable. If you are certain you somehow have files that have viruses on your iPad (does the alert say which virus?) then download a backup extractor program on your PC and extract all files to a different folder then scan that folder.

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Aug 1, 2015 4:44 AM in response to bobbpix

bobbpix wrote:


in March 2015, Apple removed software from the App store that scanned for infected files. Maybe these files can never harm an ios device, so Apple wanted to give the impression that there devices couldn't be harmed.


No, Apple removed software that claimed - or appeared to claim - to be able to do something it couldn't do. Because of sandboxing restrictions, no app is allowed to access any other app's data or any part of the system, except through very controlled and indirect methods supervised closely by the OS. So none of the iOS anti-virus software that used to be in the store was actually able to scan the device.


Imagine how irritated you would have been to have bought iOS security software only to find it couldn't scan the device. Then ask yourself how you would react once you realized that Apple had approved that software for inclusion in the store. Now you should begin to understand why it was removed.

Reply
User profile for user: bobbpix
bobbpix Author
User level: Level 1
9 points

Aug 1, 2015 9:31 AM in response to thomas_r.

Thomas,


Point well taken about AV SW being unable to pierce the sandbox. I suppose given what i'm seeing on my PC it would be nice if Apple addressed this directly with their own SW. Maybe these are false positives - there are two sides represented here on the thread as far as that goes. I have inserted (I think) snips from both malwarebytes and defender. Given that the names reported are different, maybe that lends credence to the idea that these are false positives. But the actual files that the SW points to are the same, just that given different names by MWBytes and Defender. And i agree, as long as i keep these quarantined i don't think i'm in much danger. Still uncomfortable to have them lurking around after each sync.

I User uploaded file

Reply
User profile for user: bobbpix
bobbpix Author
User level: Level 1
9 points

Aug 2, 2015 1:38 PM in response to thomas_r.

Unfortunately, after a day of letting these files sit in quaratine, Defender alerts me to clean up my system and wants to reboot Windows. So unless i specifically allow these suspenct files, I am now forced to reboot when I don't want to.


Perhaps I'm paranoid. I'm in the securities industry and there is a big cybersecurity push from the SEC demanding heightened security on all our systems. And even though this is my home computer, I find it really kind of dismal that the best suggestions involve resetting my ios devices or just ignoring the suspect files. Apple has no software that will help to scan files on an ios device. If more users ran into the problem I'm encountering, i suppose this issue will get more traction and i wont be forced to do a reset to deal with it. Right now that's where i am. But it may take one or two days to reset and restore both devices.

Reply
User profile for user: deggie
deggie
User level: Level 10
167,183 points

Aug 2, 2015 1:56 PM in response to bobbpix

Did you try my suggestion of extracting them from the backup to a folder and running your various software on your computer and trying to isolate which files in your backup supposedly are infected?


Apple is not going to change the security design of their system to scan across the sandbox for files. If you want that ability you should buy Surface Pro.

Reply
User profile for user: bobbpix
bobbpix Author
User level: Level 1
9 points

Aug 2, 2015 2:22 PM in response to deggie

I dunno. Here's what MWBytes says they are.

Trojan.FakePDF, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\56aa0d69f2f3a345b1880671c1bc139f4a3edea9\00037b8e4cb 51d4351304aa18ec5445bdb282607, , [f1b021771a702f078451e1fadf2255ab],

PUP.Optional.Bandoo, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\56aa0d69f2f3a345b1880671c1bc139f4a3edea9\56fe0e58ecc 4f21eceb46cd32b85781416ddc11c, , [c6dbfa9e4149ce68df487fc0a9586c94],

Trojan.FakePDF, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\56aa0d69f2f3a345b1880671c1bc139f4a3edea9\98aa9bce8ee 876450a062285ba903c7ad2d15b2b, , [bee37e1a3159c472ece97962bb4647b9],

Trojan.FakePDF, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\56aa0d69f2f3a345b1880671c1bc139f4a3edea9\b95e7a4c902 160f704980a8417ad0685c917879a, , [d1d09bfd4f3b82b41bba1ac1ff024cb4],

Trojan.Email.FakeDoc, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\c9bb2ed4e2308acfe23764900393f37d873cd4e6\39d3533b002 4c57b376ffaf7fb0230a66efadc42, , [68396f299bef42f493f35ab515ed35cb],

PUP.Optional.Bandoo, C:\Users\Bob\AppData\Roaming\Apple Computer\MobileSync\Backup\c9bb2ed4e2308acfe23764900393f37d873cd4e6\c1dc785c5b0 895c038ea1d42decee302e7349e79, , [bee3e1b71f6bb38345e2b28d56ab5ca4],

Reply
User profile for user: deggie
deggie
User level: Level 10
167,183 points

Aug 2, 2015 5:26 PM in response to bobbpix

That really isn't much help in identifying your documents other than MW Bytes thinks there are PDF or .doc files (the latter would have to contain a macro). Again, if you extracted them and ran your software you could get the exact names to try to remove them or see if they really are infected.

Reply
User profile for user: ShagCA
ShagCA
User level: Level 5
6,335 points

Aug 3, 2015 12:26 PM in response to bobbpix

If those files (in your list) have been quarantined and removed from iTunes backup, would it be safe to say that you can restore the data back to your iPad/iPhone less the infected documents? I'm not sure about that but it's worth a try. Keep in mind that iTunes may treat the backup as 'incomplete' and refuse to restore to the device.

Reply
User profile for user: bobbpix
bobbpix Author
User level: Level 1
9 points

Aug 6, 2015 9:39 AM in response to deggie

Deggie,

I didn't know about ios extractor programs. Sounds like an interesting approach. I would like to find what programs are associated with the suspect files as I'd just delete the programs instead of doing a restore. It would also stop windows from rebooting every time I sync my devices as my malware software (Defender and MWBytes) both quarantine and go through a cleaning process whenever I sync.

Reply

My iPad and iPhone transfer malware to my PC.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up