iPhone Malware Threat: Infostealer Campaign Targets 26M Users

A widespread malware campaign targeting iPhone users has escalated, with security experts warning of a surge in fraudulent schemes designed to steal banking credentials and personal data. The threat, identified as “Infostealer,” disguises itself as browser updates and has compromised over 26 million Apple devices since 2023, according to Kaspersky data cited by cybersecurity analyst Kurt Knutsson¹. The malware grants attackers full access to passwords, financial details, and device data, often delivered via phishing emails or fake update prompts.

Infostealer Malware: Tactics and Impact

The Infostealer campaign exploits social engineering tactics, primarily through fake browser update pop-ups. Victims are redirected to malicious domains mimicking legitimate software updates, such as those for Safari or Chrome. Once installed, the malware harvests credentials stored in Keychain, autofill data, and even intercepts 2FA codes sent via SMS². The DailyMail reported a 55% increase in infections from 2023 (16.49M) to 2024 (25M+), with attackers increasingly targeting mobile banking apps³.

Zero-Click and NFC-Based Threats

Parallel to Infostealer, Chinese-linked threat groups have deployed NFC-based malware like “SuperCard X,” which drains bank accounts via contactless payment exploits. The FBI documented 19 billion spam texts in February 2025 alone, many impersonating toll services (.TOP domains)⁴. Additionally, zero-click attacks via iMessage—similar to the Pegasus spyware—have resurfaced, corrupting devices through malicious .GIF or PDF attachments without user interaction⁵.

Mitigation Strategies

The NSA and FCC recommend the following actions to mitigate risks:

Update Verification: Manually check for updates via Settings > General > Software Update—never through pop-ups.
Network Hygiene: Disable Bluetooth/NFC in public; use VPNs on untrusted Wi-Fi.
Behavioral Controls: Reboot devices weekly to disrupt persistent malware.

For enterprises, enforcing MDM policies to restrict sideloading and monitoring for anomalous transaction patterns is critical⁶.

Relevance to Security Professionals

This campaign underscores the need for enhanced endpoint detection on iOS devices, traditionally perceived as low-risk. Indicators of compromise (IoCs) include unexpected battery drain, unexplained data transfers, and new certificates in device profiles. Network telemetry should flag connections to known C2 IPs linked to the .TOP domain cluster⁷.

For threat hunters, analyzing plist files in /var/mobile/Library/Preferences/ for suspicious entries and monitoring nsurlsessiond processes for data exfiltration attempts is advised. Kaspersky’s report notes that Infostealer variants often masquerade as com.apple.WebKit processes¹.

Conclusion

The convergence of social engineering and technical exploits in these campaigns highlights evolving mobile threats. Organizations should prioritize patching legacy iOS versions (pre-15.6.1) and educate users on recognizing fraudulent update prompts. The FBI’s IC3 portal remains a key resource for reporting incidents⁸.