How Black Market Criminals Are Duping Apple Users Into Surrendering Their iPhones

Photo: Getty
Photo: Getty

A security report out Tuesdays sheds new light on the lucrative business of unlocking and reselling stolen iPhones, a multi-million dollar criminal enterprise spanning the globe. The tools used by shadowy hackers involved in this black market trade were detailed in TrendMicro’s latest research.


Today, stolen or lost iPhones are typically locked down by theirs owners using the Find My iPhone app, which can leave thieves in possession of nothing more than an over-priced paperweight. Bypassing the activation lock isn’t easy, of course; its purpose is not only to secure personal data and credentials contained on the phone, but to dissuade thieves from targeting iPhones in the first place.

About five years ago, New York City saw its first spike in major crime in two decades and then-Mayor Michael Bloomberg pointed directly at Apple, citing a rise in robberies targeting people with distinctive white earbuds dangling from their ears. (They called it “Apple picking,” if you can believe it.) Whether iPhones actually caused a crime spike or whether that was just a politician’s scapegoat, it was around this time—when iCloud was first introduced—that Find My iPhone gained widespread adoption.

To bypass the Find My iPhone’s activation lock, criminals have turned to sophisticated methods of infiltration, targeting desperate owners of missing devices with phishing emails gearing toward capturing iCloud credentials. As a foothold, criminals play on the eagerness of the owner to reclaim their lost phone.

The victims might receive a fraudulent link, for instance, alerting them that their iPhone has been located. Since the message is carefully crafted to appear legitimate, using a spoofed email account or SMS message, many owners carelessly follow the instructions they’re given. In doing so, they compromise their own iCloud accounts, granting the phone thieves full access to their device.

iCloud-unlocking services are their own industry, with a global customers base. TrendMicro says that in gathering details about available toolkits, it studied only a handful of operations, from Kosovo, the Philippines, India, and North Africa.

One prominent tool described by the report is FMI.php:

Once users enter their credentials on the phishing page, the FMI.php framework is used to retrieve the user’s iCloud information such as the cell phone number, passcode length, ID, GPS location, whether the device is locked or not, and if there’s a wipe command in progress. FMI.php framework can also delete the device from the victim’s Apple account after it’s unlocked. Attackers also get notified by email once the victim has been successfully phished.


Others include MagicApp and AppleKit. Both are designed basically to grant iPhone thieves the keys to run their own criminal enterprise, automating much of the unlocking process. MagicApp, for example, is capable of sending “a fake GPS location to deceive the victim into believing their lost phone has been found.” The app offers 50 customizable templates that phone thieves may use to phish iPhone users and acquire iCloud credentials.

“The online tools we’ve seen show how traditional felony and cybercrime can work concertedly—or even strengthen each other—towards bigger payouts for the bad guys,” TrendMicro reports. In other words, the world of iPhone theft is one of the best examples of how real-world and cyber crime can intertwine. You need to handle your accounts with care, but also make sure you aren’t leaving your iPhone sitting in a bar somewhere.


Below are a few security tips offered by TrendMicro, which also offers its own mobile security solution for Apple devices:

  • Apply best practices for securing mobile devices: enable two-factor authentication on your iCloud account, and set up or enable the device’s security features, i.e., Find My iPhone, Auto-lock
  • Regularly back up your data to mitigate the impact of its loss
  • Report the device’s loss or theft to your carrier to deter fraudsters from reusing it
  • Be more aware of the signs of phishing; in this case, be wary of unsolicited emails or texts requesting for your iCloud and Apple ID credentials
  • Enforce robust security policies in the workplace, especially if the device is used to store and manage sensitive data




Okay, I’ll admit to my ignorance since I don’t have an iPhone but once the phone is locked how do the hackers know the email address of the stolen phone? Is the email address plainly displayed on the screen when you try to unlock it?