The tools criminals use to prepare a stolen iPhone for resale

Reselling stolen mobile phones is a lucrative business all over the globe, and iPhones are very much in demand.

Whether lost or stolen, the iPhones are often locked by their legitimate owners via Apple’s Find My iPhone settings and, until recently, via the Activation Lock service.

But both sellers and buyers of these devices need to unlock and reactivate them, turn off the Find My iPhone service, and erase them if the plan to sell them or use them. To do that, they have to gain access to the original owner’s iCloud account (i.e. to steal his or her Apple ID and password, if iCloud is linked to an Apple ID).

Luckily for them, there are a number of tools that can help them do that.

Getting the needed credentials

The easiest way to get access to iCloud accounts is to phish the original owners.

According to Trend Micro researchers, tools for building iCloud phishing pages can occasionally be found on GitHub.

Their research led them to certain tools that fraudsters use to unlock stolen Apple devices: AppleKit and MagicApp, as well as a cybercriminal version (FMI.php) of the Find My iPhone API, along with phishing kits and other related services.

“[FMI.php] is the closest tool cybercriminals have that resembles the Application Program Interface (API) of Apple’s own Find My iPhone. Once users enter their credentials into the phishing page, the FMI.php framework API is used to retrieve the user’s iCloud information, log into the iCloud website, and receive Apple device information,” they expained in a recently published technical brief.

“We tested the phishing page and received information such as cell phone number, passcode length, ID, GPS location, whether the device is locked or not, and if there’s a wipe command in progress. FMI.php framework can also delete the device from the victim’s Apple account after it’s unlocked and notify the attackers by email once the victim has been successfully phished.”

AppleKit, MagicApp, and FMI.php are sometimes used in conjunction: FMI.php is used to steal the needed credentials, Applekit to create a network of hijacked devices, and MagicApp to automate the unlocking of iPhones.

“The schemes we uncovered involve several fraudsters from Kosovo, Philippines, India, and those in North Africa. We monitored three notable actors who often worked together, and whose products and services are commonly used together: Mustapha_OS, Engine_App, and i_phisher,” the researchers shared.

“Mustapha_OS is AppleKit’s developer, and is also known to participate on dev-point, an Arabic hacker forum, as early as 2008. Engine_App developed MagicApp, while i_phisher provides phishing scripts and sells server services for SMS messaging. Customers using MagicApp or AppleKit aren’t obligated to use i_phisher’s phishing scripts, but because they know each other’s products well (and have a high success rate), many tend to use all three.”

All of these tools can be found online, some for sale and some even free of charge, and fraudsters use them to set up iPhone unlocking services for a fee.

“The online tools we’ve seen show how traditional felony and cybercrime can work concertedly—or even strengthen each other—for bigger payouts,” the researchers noted.

Protection and mitigation

Of course, as careful as users can be to keep their devices physically safe, losing one’s device or having it stolen can happen to anyone.

Regularly backing up data, enabling two-factor authentication on one’s iCloud account, setting up a security code and switching on the Find My iPhone feature, being on the lookout for phishing attempts, and reporting the device’s loss or theft to one’s carrier are all good steps to minimize the impact of the loss/theft of one’s iPhone and can make fraudsters’ work more difficult.

And those who buy second-hand iPhone should always verify with the vendor or carrier that they’re not blacklisted.

“The Cellular Telecommunications Industry Association (CTIA) created a website that verifies the IMEI to help customers and law enforcement check if an iPhone has been blacklisted or stolen. Resellers and consumers alike should also note that historical data from the device’s Find My iPhone is saved on Apple’s databases. Smartly enough, Apple devices have preventive measures in place to make stealing and reselling devices tricky, including one that can brick a stolen device.”