Should I be concerned about strange, new iPhone app appearing after repair?

Question

I had my iPhone battery replaced in a phone repair shop. After collecting it, I noticed that there is a strange new app installed, some "Chinese" web browser. It has no alphanumeric name and nothing in the interface was in English. I spoke with the technician who replaced the battery and he said that they didn't do anything with the phone, didn't even connect it to a PC.

Should I be concerned? There's plenty of sensitive data on it. It has never been jailbroken, I never visited any suspicious sites on it and I didn't connect it to any PC other than my trusty laptop.

You are already concerned, that's why you're asking. And rightly so. A better question would be: *What do I do next?* — , Mar 27 '18 at 20:22
You made a full backup *before* going to the store, right? I would wipe it out, restore the backup, and would not trust that store ever again if the restore does not restore the suspect app. — Rui F Ribeiro, Mar 27 '18 at 22:28
@JanDoggen To be fair, he's not asking if he's concerned, but if he's right to be concerned. — , Mar 28 '18 at 09:17
For the curious among us, could you take a screen shot of the app icon and interface? We might be able to at least identify the app in question. — twisteroid ambassador, Mar 28 '18 at 09:45
Can a battery be used to backdoor a phone? In theory I could imagine it (who security hardens the OS-battery protocol?), but if it was common I'd expect it to be found on google. — Yakk, Mar 28 '18 at 15:25
@Mawg I live in Ireland, Chinese apps are very unusual here. As I mentioned in comments, it's not even in list of purchased apps when I enter my profile in App Store. — Rafi Rosa, Mar 28 '18 at 15:42
Have you checked it is an app and not a 'web app' aka Home Screen Shortcut? — Qsigma, Mar 28 '18 at 15:42
@twisteroidambassador I am sorry, I panicked a bit and when the guy in store suggested to just delete it I did it without thinking. Here's link to icon I found that looks the same, [link](https://images-na.ssl-images-amazon.com/images/I/718-HpvIPaL.png) I suppose it's UC Browser. As I mentioned, everything was in Chinese, including name of the app. — Rafi Rosa, Mar 28 '18 at 15:49
@Qsigma I did not, and as it is gone now, is there any way to find out what it was? — Rafi Rosa, Mar 28 '18 at 15:50
Phone version? iOS Version? [Jailbreaks, 2007 to present](https://en.wikipedia.org/wiki/IOS_jailbreaking#By_device_and_iOS_version,_2007-present) — WernerCD, Mar 28 '18 at 18:07
Would you be able to add a screenshot? Preferably by powering up the device *without a SIM card* and away from any known Wi-Fi networks (or by changing your Wi-Fi password so the compromised device can no longer connect to it). — André Borie, Mar 28 '18 at 23:20
Did you unlocked/gave them your password ? (You should do neither) — Antzi, Mar 29 '18 at 00:53
@Antzi Not necessary to give them your password, but only your PIN. They can login with another user, and install an app as I said in my answer. — Rui F Ribeiro, Apr 02 '18 at 16:04

Anders · Accepted Answer · 2018-03-28T07:33:24.803

103

Unless you can come up with some other explanation of how this happend, it sounds like your phone has been infected by some malware. It's impossible for us to say if the infection was the result of something the factory did or something you did. Either way, you should be very concerned. I'd recommend the following course of action:

Make a backup of any data you have on the phone. (The backup could be infected, see this question, but if you have no earlier backup you either have to take the risk or lose your data.)
Do a complete factory reset, wiping the phone clean.
Change any passwords that has been stored on or entered on the device.

While you are only seeing one app, it might just be a symptom of a deeper infection. Just removing the strange chinese app may not be enough.

edited Mar 28 '18 at 07:33

answered Mar 27 '18 at 17:13

Anders

64,406
24
178
215

I can't really think of any way this app was installed on my iPhone, it doesn't appear in the purchased list in my apple account and I haven't installed any app for at least a month. What are possible ways in which it could have been infected? – Rafi Rosa Mar 27 '18 at 17:20
43

@RafiRosa To be honest, I don't think you will ever be able to say for sure where it came from. But in the end, what you need to do is the same - a factory reset. – Anders Mar 27 '18 at 17:21
6

@RafiRosa You can sideload apps that have valid Apple-signed certificates. Otherwise they jailbroke your phone for you. – Steve Mar 28 '18 at 03:54
5

@Rafi Rosa It's possible the app was compiled directly from XCode to your phone or using TestFlight. Other than jailbreaking this is the only way unapproved apps can get on your phone. That pretty much means you should stop using your phone and wipe it ASAP. – Caimen Mar 28 '18 at 17:29
1

@Anders I have done a complete factory reset of my phone and changed all passwords that I used while using it. After that all of apps I have previously installed were restored by iPhone and all of my files were stored on iCloud, is it all I can do? – Rafi Rosa Mar 28 '18 at 19:47
@RafiRosa That sounds like a good strategy. – Anders Mar 28 '18 at 20:16
1

@Caimen going directly from XCode to the phone requires installing device-specific certs under the logged-in Apple ID - there may be a way to check the device under iTunesConnect (?). – brichins Mar 28 '18 at 20:29
Given that phone carriers often push apps into phone without the actual owner's consent (that's how caught T-Mobile red-handed installing their apps into my phone), I'd suggest that another possibility is a client paying the carrier to push *their* app into people's phone. (Or maybe we just need to wait and see if a carrier shows up in the news as getting breached and their functionality used to compromise end-users.) – code_dredd Mar 29 '18 at 17:13
2

@ray That's not a thing on iOS. Carriers do not have control over firmware updates, and cannot force-install apps. – Mar 30 '18 at 19:40

score 31 · Answer 2 · edited Mar 30 '18 at 10:43

I would be very concerned. One thing I have learnt about security, in all the years I have been trying to understand it, is that if you didn't put something there, somebody else did, and if you don't know what it is doing then the only thing to do is reset, reinstall, and be happy with everything. If you don't know why that software is there, be assured, somebody put it there for a reason and it may be a good reason but it isn't your good reason so if that phone was mine I would save all my data, and only my data, and completely factory reset it.

score 22 · Answer 3 · edited Mar 29 '18 at 20:13

22

Yes, and be concerned about more than your phone.

I can’t imagine a situation where an app was installed without your pin/password. without them first jail-breaking or otherwise significantly compromising your phone's OS. I think the only safe assumption is that anything your phone had access to, they also had access to.

So any account your phone has access to is suspect. Particularly any email account you have setup. Look for password reset emails, check your sent items etc. If you had any kind of financial app ( bank etc) check for odd transactions etc.

If that all looks fine, I’d follow the advice of others in terms of resetting the phone, but also go beyond the phone and reset all your important passwords etc.

edited Mar 29 '18 at 20:13

Almo

105
4

answered Mar 28 '18 at 02:29

Nath

401
2
6

3

Unfortunately, it's pretty common for repair shops to ask for the PIN to log in and verify all hardware functionality after opening the case, just in case they knocked something loose (camera, GPS, bluetooth, etc) which isn't detectable on a lock screen. I go to a shop nearby that will do repairs while you wait so I can log in for them to check while I watch, but I've seen plenty of customers give up the PIN without a moment's pause. – brichins Mar 28 '18 at 20:35

score 11 · Answer 4 · answered Mar 28 '18 at 08:50

11

The most concerning point is that the repair shop employee claims not to know anything about it.

The app may or may not be okay. If someone in the repair shop installs a new app, i.e. for testing if installing works again, this can be a problem, but doesn't have to be.

But if they tell you they do not know about it, either it was some malware installed it, or they are lying to you. And either way you cannot trust the phone anymore not to be infected with something which should concern you.

answered Mar 28 '18 at 08:50

allo

3,173
11
24

7

Unless the employee who didn't know was just working the cash register & did not know that the repairs guys in back routinely install helper apps & remove them after the repair is complete (and forgot to this time). In any case, restore from backup – Mawg says reinstate Monica Mar 28 '18 at 10:58
7

Might be worth reporting it to the police also so that they can send someone in undercover to do an investigation if they have the will and resources (though they won't) – Lightness Races in Orbit Mar 28 '18 at 12:18
2

That was my first thought, that it's some leftover software to test the battery, but the guy who repaired it said that it was already there and didn't have anything to do with it. – Rafi Rosa Mar 28 '18 at 15:22
3

It's a problem if they unlocked the phone at all, even for testing. – R.. GitHub STOP HELPING ICE Mar 28 '18 at 19:31
3

It's a problem for us security aware folks, but most people and most repair people don't see a problem there. And often they are right and not all persons with access rights do bad things. But when they don't tell the truth afterwards, the trust is gone. – allo Mar 29 '18 at 07:20

score 10 · Answer 5 · answered Mar 29 '18 at 09:23

when the guy in store suggested to just delete it I did it without thinking. Here's the link to icon I found that looks the same, I suppose it's UC Browser. As I mentioned, everything was in Chinese, including name of the app. – Rafi Rosa

Yes, it was UCBrowser. This is a popular browser in China (since Google Play/Services are not available there) most Chinese phones actually come with this browser pre-installed.

I believe it was perhaps a way for the repair guy to test the phone in a familiar app... UCBrowser was found to have several flaws that would allow others to exploit, but mainly they'd only happen if you actually used the browser.

I have done a complete factory reset of my phone and changed all passwords that I used while using it. After that all of apps I have previously installed were restored by iPhone and all of my files were stored on iCloud, is it all I can do? – Rafi Rosa

I believe you did well. Even if it was just an app that the repair guy decided to use for testing, he might have done a lot more than just installing and using the browser. Not being honest/upfront about what they really did when they just needed to repair a battery is certainly not professional.

A factory reset and passwords change should be safe enough regarding your data. If the store does not have ways to profit from replacing other hardware in your phone, you won't notice any difference. However, if you need to be completely sure about its integrity perhaps a certified Apple store may perform a check and tell you what was really changed (not sure if they do this though).

score 6 · Answer 6 · answered Mar 29 '18 at 18:37

I didn't see this addressed in the previous answers, so I thought I'd add:

If you are going to surrender control of your device, you should perform a backup and a factory reset beforehand. You should reset it again and then restore your backup when returned. It only takes a few seconds to copy your files or install malware.

It is too late in this case, but the mystery about "what happened" applies every time it leaves your control---not just this time because you noticed something wrong. Intruders usually try to avoid detection, so a good intrusion would be unnoticeable.

score 4 · Answer 7 · answered Mar 28 '18 at 20:47

As already stated, anything done to your phone while out of your sight is definitely cause for concern and probably worth restoring from backup, as well as resetting passwords / 2FA for anything tied to that phone.

However, the exact way this icon got on your home screen would say a lot about how bad of a breach may be involved and how concerned to be. I can think of 2 options not already discussed:

An employee installed the app, but removed it from your list of purchased apps. You could check your purchase history in iTunes for hidden purchases to verify whether this has happened, even for a free app.
The icon was not actually an installed iOS App, but a bookmarked website / Progressive Web App that was pinned to the Home Screen for some reason to help with diagnostics. You could potentially verify this by checking your Safari history for any activity during the time your phone was at the shop. Clearing the history/cookies would erase the tracks for this, but if that's what happened then the 'app' itself isn't really a cause for alarm.

score 2 · Answer 8 · answered Mar 28 '18 at 01:50

2

Yes you should be concerned.

Do a factory reset.

If you have backed up your iPhone since before the app, your in luck. If you didn't, less great but still preferable to wipe it clean and start over.

answered Mar 28 '18 at 01:50

Michael Elliott

131
4

score 1 · Answer 9 · answered Mar 30 '18 at 02:04

if you gave access to the phone to the store, the new app might not be in the list of your purchased apps, simply because an employee in the store logged off, and installed it with their user.

Nonetheless, I would still handle the phone and passwords used/cached there as potentially compromised.

However, as mentioned in my first paragraph, the app installation might be just routine, and someone forgot to delete it.

score 0 · Answer 10 · answered Mar 31 '18 at 16:12

0

I would recommend you to replace your phone instead of resetting it. The store has had the access to the phone's hardware and firmware and could have replaced them with malicious counterparts in addition to installing this app.

answered Mar 31 '18 at 16:12

Egor

1

Should I be concerned about strange, new iPhone app appearing after repair?

10 Answers10