Doppelgänger Devices: Investigating Fake iPhones & Security Implications

[Music] hi everyone thank you so much for coming to my talk um just giving everyone a minute to sit um so today I'll be talking about a fake iPhone that I recently got and I'll tell you guys the story a bit about that but as hackers we are very curious right so when I found out that a fake phone is a thing and that I had one in my hand I had some questions so this presentation is a story about how I got a fake phone the questions I had the process I follow to get the answers and what those answers are it's a story of issues that I ran into and hopefully we can all

laugh about it um or cry about it together let's see so who am I I'm Anie um I got married after I submitted my paper so I'm now um Williamson I've been working at rft for half a decade where I've been doing um penetration testing for many years and I now have the privilege to be in the digital forensic and incident space um I get to do investigations on things like fraud and Insider threats breaches ransomware Etc I'm also very heavily involved in the mobile space as I was head of mobile a while back when I also launched a mobile training YouTube series on red shift's um YouTube Just because I I saw there wasn't really a

lot of beginner mobile information how do you actually get into Mobile that was way back when there's a lot more information at the moment um one thing I also started being in charge of training at Red shift where I started training everyone on mobile when I was still head of mobile and one would think because I do training for a company I would be better at talking in front of people but unfortunately no um I'm currently the head of D of forensics and incident response at R shift and then I have two dogs Simpson and Daisy and I have two bunnies waffle and Jon Snow and yes I do have petas don't worry it's the white one that's like

doing this that's John Snow okay as a means of introductions when I submitted this paper this is the introduction that I submitted as well in short I wanted to know two things is this device actually safe to use and is this device a credential Harvester I'll show you guys why I had that question in a bit um but let's actually look at the device in question I have it here um for those who wants to read that you

can let's see if this works okay so this is the device switching it on it's not great if anyone wants to see the device afterwards please just just come um and grab it but you guys can see this this is actually pretty good right this is claimed to be an iPhone 13 or iPhone 14 it was advertised as a 14 but the serial number comes up as a13 unlocking the device it's not bad it's not slow right it's not bad if you're not an iPhone user and you're not clued up you wouldn't really be able to tell um this is the settings okay looks standard looks like an and iPhone right um from the research that I did

from previous fake iPhones this is like the iPhone 10 that they made there was deoration on the on the side and you can't really see on the camera here but there is no discoloration there's no blue tint on this camera at the back um heavy blue tint that was other indicator of previous ones there's nothing like that Hardware you can't really tell except if you really know iPhones and you know the speed that this phone is supposed to

be so how did I actually get this phone so someone I know who's very intelligent who I may have or may have not married wanted to buy a new phone and he thought he's going to go to the trustworthy Facebook Marketplace cuz that's where we get Tech right he and his brother-in-law who's a lawyer went to pick up the phone and beforehand they Googled everything how to know if this phone is stolen or how to know if it's a bad purchase right more towards if it's a stolen phone not fake phones we weren't as clued up that that's a thing at that point every check was bypassed and when he got in the car he

saw the first strange thing obviously at that moment it's very quick it's like check the phone check the IMI number everything everything looks good you're on your way and when you actually look it's a stressful situation right and then when you actually look he saw something wrong we are two hackers married to each other and this happened to us what chance does our parents have right and this actually just shows how sophisticated adversaries has gotten so what did Google say that we should check for the first thing is factory reset the phone because if it has a active profile assigned to it if it's stolen you won't be able to it'll stop it's an Apple

security thing right so they did that they Factory reseted the phone everything's still fine check the serial number on Apple's official website they entered the serial number and it showed up as a legit phone however it did show up as a iPhone 13 Pro but the guy was like yeah well we didn't I put it wrong on the advert whatever go on the other one is just ensure that no account is signed into the phone so go into settings see if someone signed in it wasn't I also looked up when doing research to how to identify if this is a fake phone and someone actually said just put the serial number in the Apple check coverage this screenshot put it

there if it comes up this phone is legit it's safe clearly not so some signs that we got that it was fake obviously now that I'm going to mention it it's going to seem super obvious right you're like how did how did we miss this it is a bit slow it's not as slow but it a little bit slower if you're an advanced media user there's an Android error on the phone this is an iPhone there's a spelling mistake on the settings application and there's incomplete functionality so you cannot search in settings um if you go into setting J you can search search for like a word like Hotpot or whatever and it bring up that

setting you can do that in this phone the battery also doesn't last as long but obviously you only see that when playing with the phone another indicator that I wouldn't recommend using is the little side button the mute button for those of you who have iPhones it is a little bit wonky but not enough if you don't know some error messages the one on your right that is Google that is when you open Apple Maps it shows you the nice Google sign in the second one is if you open the files app there's an Android folder and for those of you who know there is a Android folder structure that's how the Android file structure looks like on Old

Androids the other one is messages it seems fine but when you swipe up you see the little message icon that's very old Android the last one is I I don't think that's Siri um maybe it was Siri but I'm just young and I don't know but that's when you get when you press for Siri I have some videos for you guys um just it's not as stable my hands a little bit shaky but let's goow with it that's opening the files internal storage then you see all the file structure I went into Data note there is a joy. APK that's joy7 apple.app store this tells me that the App Store setting is a malicious APK

right it's fake can't remember the English word the Africans word is Nar this is Apple Maps that's Google there's your Android Error this is podcasts that's Google play this is find my friends that's still Google there's another F my friends um I'll show you guys the screenshot of that one now but both of them have Android errors right so I'm starting to think this is actually an Android maybe then there's some spelling mistakes on your left hand my left hand left hand side the Apple ID there's a spelling mistake if someone wants to give that a shot give you like two minutes

anyone don't have a the on the right hand side there's two issues but it's not spelling mistakes but if you are a mobile user in the mobile space you'll know that that's the incorrect wording for it um and that is cellular and personal points that's supposed to be mobile service and personal hotspot then there's two find my friends the one is to find your enemies and the other one is for Crow statives then an interesting thing is the compass so I was playing with the phone seeing what works seeing what doesn't and this one gave me a giggle I hope it gives you guys a giggle as well I hope you don't get stuck with

this phone you'll get lost okay so I had some questions naturally the first one is what operating system is this obviously we can see it's Android but what Android is it is it the Android open source Community project is it just a very old Android or is it something completely different and they just used some code from Android is this a credential Harvester the Apple ID sign in has a spelling mistake are they actually stealing my credentials if I put it in does this phone call out to somewhere does it have a home base a malicious URL that it's connecting to what's the actual security risk can you actually use this phone like can I just use it

it'll be a little bit slow and a little bit wonky but can I just use it how did they do the IM and the pictures so if you go on the phone and from the research that I did the phone has six pictures on it and one video I wish I could show you guys but I don't know the age restriction at this conference it is Asians and bikinis so it's a little bit inappropriate I'm not going to show it but if you ever find buy a phone you open it and there's random six pictures of Asian women and a random Asian commercial video then it's fake right and for those of you who wants to see it afterwards just show me

your idea and I'll show you then what are some indicators of fakeness how do I help people not fall for this cuz this was an expensive phone I'm not going to admit how much we pay for it now I devised the plan first off I want to image the device so we have a forensic laab and we have imaging software for mobile devices and I want to image this device which I had some issues with and I'll get to that I want to check the Biers information on this phone maybe there's additional information which again gave me some ISS issues I want to check the file system and maybe root the device data shell I

want to check the network traffic to see if it's calling out and see if it is a credential Harvester and I want to play with it to see if there's anything that you can realize oh no this is fake okay so something to take into consideration when Imaging a device getting grots is you need to know what the phone is I don't know what this phone is I don't I know nothing I don't know what Hardware it uses nothing so let's go to the first one the easy one I wanted to check the bias a little problem here I don't speak Chinese wish I could but I can definitely not read it so luckily my

brother-in-law does but he was busy so I had to use Google if you guys know this is very standard Android um bio settings I actually did do the manual test in on the phone just for curiosity sake um microphone speakers everything work there's no issue with the hardware I mean it's not as good for example the zoom on the phone is artificial definitely two of those cameras are fake um but if you are not as technically clued up you won't know that right I mean I don't think my dad would know that this Zoom is artificial or not um yeah and then I went into the version information of the phone which gave me some very interesting

information um first one is that chipset um I know we all know off by heart but that chipset is actually um there's a tww um explo available for it for that specific chipset um so we can root the F great second one is it's an Android 6 that's very old um Android version six so definitely Android then there's two IMI numbers um in the bias so when they first got the phone they did check the IM numbers and it showed up as an iPhone Apple fine I checked these IMI numbers there's two different um names that I got the first two is just the first two IMI numbers and the same one and then the other one

is what the rest of the site said now excuse me for butchering these names um but the first one we see is Quan Tong Tong and then we have a shaman I won't attempt the rest obviously not apple right so I went into a little bit of research into both of these companies and both of them are chinese-based um very little is known about Quan Tong Tong I don't know if that's correct that may both of them may be fake um but there's very little information about that perhaps I just don't know the correct Chinese name and that's why I'm not finding it on Google um the second one Shaman is a technology company that

manufactures it seems like Network equipment but there's no clear relation seen between the fake phone and these two companies so I'm unsure what the connection is it can just be fake or they do this in the background okay so now I want to image the phone we use oxygen forensics to image mobile devices in our frit lab now to do this you need to choose a method there's two methods of doing this the first one is you choose the exact phone so you'll say okay this is a Samsung s23 version this okay um that's not possible I don't know what this is I can choose iPhone 14 I don't think it would work so new plan the second method is you can

deploy the agent itself if you're unsure so you can deploy a Android or iOS agent just for fun because I don't still don't know really what it is I know we all know it's Android but I mean it's an iPhone with Android it's confusing I deployed both so iOS obviously didn't work it wouldn't work um but the Android agent also didn't work and this is because you need USB to be enabled to enable USB debugging you need to go into Android's developer options which is in the settings which this phone doesn't have this phone has a fake iPhone Settings app so I decided to make the phone even less secure and put a fake developer options

on the phone so I installed a secure APK on the phone and this allowed me to enable um USB debugging and I did was successful in taking an image of the phone it was fairly quick there's not a lot of information on the phone and then I used that software to scan the image for malware unfortunately there was no mware on I thought that would be cool but unfortunately there was no mware okay now we need to root or jailbreak the phone so first when I first had this dilemma when I first didn't know it's an Android I thought do I root or do I jailbreak for you for those of you who don't know rooting is for Android

jailbreaking is for iPhone is it based on the hardware or the software what is the hardware don't know routin needs USB debugging luckily I got that getting it to safe mode and fast boot it sounds easy enough but this is where my biggest stumbling block came when it comes to this phone um and I'll explain now and then which one do I use Magics Kingo Roots what do I use so getting this phone into fast boot is possible getting it out of it is not every single time I've done this the phone just freezes in fast Boot and I have to wait for the battery to die before I can get it back um this might

be because of the hardware being weak I'm a little bit unsure um I ran a little bit out of time so I decided that can be phas two is to get this thing to actually root but I wanted to do the rest of the research before I break the phone I did attempt Kingo root which you guys would know is a um just click click and root sounds to good to be true because it it's it's not it didn't work okay so next off let's look at the network traffic of this device there's three parts to what I want to see when it comes to the network traffic the first one is the settings app so you guys saw it has the Apple

settings it has a signin the signin asked you for a username your email and a password I put in a fake username and password and it let me authenticate so I was like maybe this is just you know a skin it doesn't do anything it's just static but a lot of credential Harvesters do look that way it's like oh it's broken whatever but it actually is sending out your information I also wanted to look at the suspicious APK The Joy 7 what is that what does that do then some of the installed Google Apps we getting the Google errors but is this a legit Google APK or is this also a fake one that they

created so I'm trying to intercept the network um but I need to install aert and I I'm struggling with the root and I'm having a struggle right and my husband just brought up why don't you just proy it with burp I like because you need the CT you need to install the CT on the phone and I can't cuz it's not rooted and he was like well it's giving SE errors if you use Google so maybe not um apparently not I could just fully proxy the phone without installing the CT um as a system CT so yeah um because okay so now I need to proc to the phone okay how do I Pro to the phone you're

going to Wi-Fi you go into settings you put the proxy on manual and you enter your um host IP address right because the settings app is incomplete the proxy button is static it doesn't work you cannot put proxy on so I had to use ADB to set the proxy but I was well out my way okay here are some burp screenshots for you guys to look at the information being sent through um as you guys can see this is information from the com. jooy 7apple do App Store one um this was the first one that came up um when looking at my BP I also validated that we're not missing any um SSL traffic by looking at

the burp errors and the TLs burp errors and to see which host those those were that it's getting the thirt error too it was mostly just Google things like add. Google and everything so that was fine so if it was a certificate pinning error it would have showed up in the error log from B right looking at the App Store I found three very interesting endpoints I will not attempt that first name the second one the n.r jump.com and then we have a random IP address these are the three locations that the App Store was calling out to so I thought yes great credential Harvester so the IP address the 47.2 371 that is um an IP

address based in California and it is owned by Alibaba Cloud doth that what you wish when I downloaded an app so I went on the to the phone pressed download it asked for my credentials you know those that I randomly put in that I forgot about I forgot what the password was but it's asking for that I'll show you guys how I got um through that now but when I then put in the password press download it doesn't download anything nothing gets downloaded I tried multiple times and when I put in the password it doesn't get sent out to one of these strange store or URLs so it seems that the App Store was just a skin which I feel is a

opportunity from the scammers like this would be a really good way to get my credits um the Google Play Store on the phone gave certificate issues so that one looked like it was a valid Play Store so there's an app store and then there's a valid Google Play store okay I don't have the password I forgot what it was so I just opened logat and I was like maybe it's like sending it cuz if that app is fake where I put in the credential in the settings it's not working it's not sending anything out I checked it must save it locally to the device right if it's saving it locally to the device I can get it and share prefs but I need

root level access which I don't have cuz I can't do the phone so I went into lock cat with the hopes that maybe they're sending this as a sign to check if the username and password is this and if it is then let it through and it reminded me what my password was so I was very glad about this vulnerability but there I found the password I then went back into the settings app removed the user associated with the account and resigned in and that is the second one that you guys can see there where it actually assigns the user with the clear Tex password obviously this is very bad practice it's very bad practice to put

clear Tex credentials in um your loged CU everyone can get it you don't need rout right um so this is a vulnerable but I mean this whole phone is a vulnerability so that we don't really care okay so now going into what's some indicators of fake fakeness is my iofs first one is the images and the video which I still can show take the phone if you ever get one of these phones take the phone go into the phone obviously not going to sit there with burp and check if it's like weird URLs right so this is practical things you can check for first one check the images if there's six R random images on the phone

and even if you restart the phone the images persist so we restarted this phone factory reset everything the images stay there the images and the video that's there from every single one of the videos that I watch granted there's not a lot of other people with other fake phones which wasn't the 13 14 it was like a 15 and a 12 and a 10 um but they all had these images I don't know why but it is there so if you see that that is a indicator the second one is the volume down um for those of you who's going to come afterwards to feel the phone you can kind of feel it's wony um a little bit wony if you don't know

better you don't know better the third one is the errors the spelling mistakes and the files so I think the error one is a really good one to go after is make the phone error out make it have to error disconnected from the Internet and try and open something that needs internet go too fast make it confused um because ultimately the errors was the first indicated to us the spelling I mean if if you're good at seeing the spelling thing then that's great but I mean if you're in a rush you're stressed because you're talking to someone and we're introverts we don't like that you know you're looking on the phone you're not going to find that

you're not going to find the H you're not going to find the spinning mistakes but if you can great and then opening the file system because that file system was very old they didn't even try they didn't make a fake file system opening the compass every single one of the research um things that I read the compass was wonky so just opening the compass and holding it still seeing if it freaks out the cameras in the zoom so of the older ones this is 131 14 these had a blue tint in the two on this side they had a blue tint this one doesn't um so for the older ones you can check the blue tint but you can also

open the camera and zoom you'll see it's an artificial Zoom if you know better um but you know our parents won't be able to tell that um I'll show you guys what it looks like maybe with the camera after this um and then the dynamic Island so this one the iPhone 134 14 has a dynamic Island which means guys won't really be able to see it but this little black this is a dynamic Island so if you do anything like change the volume it expands I don't think you guys can see that but anyway just trust me um it doesn't work on everything so for me it worked on the silent but if you set an alarm it didn't work um but

that could be an indicator for the 15 I saw a research about a 15 um the that has the action button the 15 Pro the action button was fully functional on that fake phone so cannot even use that as an indicator

okay so when I looked at other fake phones they didn't give away the serial number um and I didn't specifically search for um how many instances of this serial number is in existence um but I didn't find anything more on my specific serial number than the Apple Checker um but the other ones they didn't give me their serial number but that is quite interesting it would be interesting to know um so I have a what's next um I I'm planning on continuing my research on this phone because my time was a little bit limited as we all know June and July was ransomware month no idea what happened I was supposed to root this phone on Friday but I was one of those

lucky people whose laptop had a blue screen of death so great for me first off I want to root this phone because I don't want some fake iPhone beating me um then I want to get a fake Android so fake Androids are also a thing um I had a discussion while SE in for more information on this phone I had a discussion with the um our provider of our forensics tools and I asked them have you guys ever come across this and they said yes only once it was a fake Samsung device and when they plugged it in to image it they couldn't they didn't know it's a fake phone when they plugged it into image it it didn't work it kept

not wanting to image their Samsung S21 or whatever even though they pressed the Samsung S21 button it didn't want to work so but then after research they saw was a fake phone but the indicat were less because obviously at Samsung You're Expecting the Android errors right the other one is I asked um someone at a Sell Shop cuz I thought you know people try and sell these things maybe they have seen one and they actually said no they've never seen one in South Africa um they have also seen a fake iPhone in India but this person was using the phone fine had their banking app on I wouldn't do that but they were using this phone as an

everyday it looked fine so I want to get a fake Android device oh and another one is someone I know had a fake Sony device so Sony in the olden days they had the little sticker at the bottom which said Sony and they bought the phone they were playing with the phone they said something is weird with the sticker and they pulled off the screen cover and the STI the Sony label came with um so there are other fake phones out there it's not as prevalent but I really want to get a fake Android and compare the two because of my curiosity I want to do a blog post on This research which will be updated

if you guys are ever interested in okay but what did I do next did I manage to root it if there any any other information that we found on the phone we will update that over there um probably on red shift's page um I want to know if this phone is truly just for for the profit of selling the device because obviously this is very cheap to make and you sell it for the price or just a little bit lower so it's like a nice sale so are they making those phones just for the profit of selling these phones or is there something more malicious at play I didn't find any evidence of this phone

sending out credentials there was the sites that it connected to but it mostly did it for images so to get images on the phone and that type of thing to make it look legit but it never sent out my credentials nowhere in the phone I tried um so but is there something more malicious I mean this would be a perfect way to like get everyone's credentials right um interesting would be to research how as a company do you know if your employees are installing your apps on a fake phone and what's the risk you have as the managing director or the owner of this company with your employees having fake devices with your data on what is the actual

RIS um that's all part of my phase two so in short while my initial research revealed a lot of answers for my initial questions I got new questions thank [Applause] you any questions [Applause] that I know the answer to please would be

nice no no I hope so but no um so that's why I stand the phone um and I did plug it into a safe environment to see what's going on um I didn't find anything nothing got picked up that's why I'm thinking it's just a skin and they're just selling it for profit of selling the phone and nothing really malicious at play but I I still want it to be something malicious that play because it's

interesting

yeah yeah monitoring the phone for an extended period that's a great idea yeah and actually reverse engineering that APK it was on my list I just ran out of time to be honest um but I'm definitely adding that to my Pace too any other questions interally how many fake phones on circulation because obviously Somebody went through a lot of trouble to to manufacture to make these yeah so in terms of publicly available research very limited I found almost nothing on the these phones there's like one YouTube channel who keeps buying fake phones off of I can't remember the site but it's like an Alibaba um just to like see if I can see but he doesn't really

grow into the phone um and then I I saw other research or not research by people who buy like a thousand phones on Alibaba and they're like oh we're going to sell all these look you can make money this way that type of thing but there's no real indicator of fake phones the where they are found how much are in existence that type of thing I think the the other problem is a lot of cheap phones coming into the market that are already rooted or have got very little security activated um that's also an area of interest for me personally because um if you are offering services in the market and you want people to

have phones and have have apps that run on those phones if those phones are already insecure when they when they hit them those customers all impacted yeah that's the other thing I wonder because there's so many new phones coming out that's so cheap the zies the oppos all those they're so cheap why do you want to buy a fake phone if these are more secure but maybe uh maybe that's why the trend has died down or it really hasn't picked up or maybe people just want the phone for status but don't want to pay the pay the price point don't know yeah uh were you able to ascertain the actual um kind of like Hardware

statistics itals what Ram was versus the reported RAM for example on the actual Hardware um so I watched a Creator who opened the phone and you can clearly see it's fake or weak um but the way to open the new iPhones is to heat it up to get this thing loose and I honestly didn't want to break it before today um but probably will open it when I'm done with like everything I'm like okay cool I just want to open it now but an interesting thing is when they open the phone is the cameras these three these two were just like a cover like it's not there's no actual camera behind it's just like there for show um there's only

one actual camera in it but when you see he open the phone it's very very flimsy um so if you don't know what you're doing you can easily break it and I just didn't want to break it for now there was someone in the back

yeah morees a actually have authorized reseller there's actually a lot more and the iso that we normally buy from is actually not an a product but a reseller through it so do they have normally a website where they say this is our authorized resellers to sell these phones so Apple them themselves have a secondhand store I think it's located in in Rose bank or something but they themselves have a a store where they sell secondhand products you can actually check on their website to also see it but in terms of a list of like okay these are the locations they have phones I don't think they have um especially because of you know the little sell shops you go in there you're

like oh I want a new phone sell your phone and I don't think like that's marked and and that could very well be a legitimate person who just broke the back screen of their phone that's an actual iPhone and selling it to them so I don't think it's track but if you ever want a secondhand iPhone that's not fake um first off don't go on to Facebook Marketplace that's terrible idea um but go to maybe the Apple legit um secondhand store any other questions great thanks everyone so much for coming to my talk there's 5 minutes left um so you guys have a little bit of a break before the next one [Applause]