Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Guest Blog // Selected Security Content Provided By Sophos
What's This?
09:05 AM
Graham Cluley
Graham Cluley
Security Insights

World's First iPhone Worm Rick-Rolls Wallpaper

Users of insecure, jailbroken iPhones are reporting their smartphones have been hit by a worm that turns their lock wallpaper to that of 1980s pop star Rick Astley.

Users of insecure, jailbroken iPhones are reporting their smartphones have been hit by a worm that turns their lock wallpaper to that of 1980s pop star Rick Astley.It may seem mostly harmless with its wallpaper-changing payload, but the first-ever worm to spread via iPhones could be an omen of more sinister attacks to come.

SophosLabs is warning iPhone users who have jailbroken their devices to ensure they have not left their smartphones open to infection.

Affected users in Australia have reported the wallpaper shown when they lock their iPhones is changed to an image of 1980s British pop star Rick Astley, with a message:

ikee is never going to give you up

Wallpaper of Rick Astley displayed by the ikee iPhone worm

The worm, which could have spread to other countries, is capable of breaking into jailbroken iPhones if their owners have not changed the default password ("alpine") after installing SSH. Once in place, the worm hunts for other iPhones that are similarly vulnerable on the mobile phone network, and installs itself again.

This isn't the first time hackers have taken advantage of poorly secured jailbroken iPhones that have not had their SSH passwords changed. About a week ago, iPhone users in the Netherlands were told they would have to pay 5 Euros ransom to gain control of their cellphones after a hacker used a similar trick -- although on that occasion the attack did not spread in a viral manner.

This latest incident, however, raises the stakes -- and it wouldn't be hard to imagine that more hackers might become intrigued about the possibility of striking jailbroken iPhones in this fashion to deploy more sinister payloads than an image of Rick Astley in future.

Analysts at SophosLabs are continuing to examine the iPhone worm's code, and new information is being published on my blog on the Sophos Website.

Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his other blog on the Sophos website, you can find him on Twitter at @gcluley. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.