The IT Nerd

A recent report on a deepfake injection tool targeting iPhones has surfaced. Here’s the TL:DR:

Security researchers have found a malicious new tool that can inject deepfake videos straight into iOS devices. The tool presents a major risk for identity theft, so Apple users should be wary.

It works on jailbroken iPhones running iOS 15 or newer versions. Jailbreaking is when somebody removes Apple’s built-in restrictions on an iPhone, and is usually done to install apps or make changes that Apple doesn’t normally allow, such as installing apps outside the App Store. 

Downloading apps from unofficial stores is one of the many possible ways the malicious tool could end up on a user’s phone. 

Once installed, cybercriminals use a special server (RPTM) to link their computer to the iPhone and then hijack the link between the camera and the app. 

That means the app never sees the real camera feed. Instead, it gets an AI-generated deepfake video that looks like live footage. To the user, the phone might look normal – a person could point their camera at a tree and see the same tree on the screen. However, the app on the other end could show a fake face.

Ralph Rodriguez, President & Chief Product Officer for Daon, shares the below commentary in response to this report:

“Reports about a deepfake injection tool targeting iPhones have made headlines, potentially allowing attackers to carry out identity theft. Banking apps are a primary concern, but healthcare data is increasingly one of the most damaging and costly areas. Thankfully, it’s only a proof-of-concept experiment carried out on jailbroken iOS devices rather than a genuine attack, but it does highlight an important distinction that is often overlooked in biometric security – injection attacks versus presentation attacks. 

A presentation attack tries to fool the camera lens with a printed photo, a mask, or a replay on a screen. Injection attacks, on the other hand, bypass the lens entirely by inserting synthetic frames directly into the capture pipeline. That’s what was demonstrated here. While it makes for an alarming headline, it’s worth noting the proof-of-concept relied on ‘jailbroken’ or ‘rooted’ devices – those that have had their built-in software restrictions deliberately removed. That said, attackers themselves can exploit this gap today by using their own rooted phone to pretend to be someone else. Once a phone is jailbroken, its trust boundaries are broken, and the operating system’s integrity checks are removed, opening the door for frameworks to impersonate the camera. Jailbroken phones are only a gateway, however. In practice, robust mobile identity systems should already treat these environments as high risk and either escalate checks or block them outright.

There’s a bigger issue in that injection isn’t just an iPhone story. Variants exist across rooted Android phones, desktop virtual webcams, and ‘man-in-the-app’ attacks, and attackers are motivated to target any environment with weak device integrity. That’s why defenses cannot be reduced to a single ‘liveness’ check. Instead, layered controls are needed: device attestation to detect jailbreaking or rooting, binding capture sessions to the genuine camera sensor, rejecting virtual sources, and analyzing holistic signals such as blink trajectories, rolling-shutter artifacts, and illumination consistency. Standards bodies such as the FIDO Alliance have already started incorporating injection scenarios into their certification programs, which will help buyers demand solutions that address both presentation and injection risks. The headline may sound new, but the lesson is a familiar one: strong identity systems rely on layered defenses that assume attackers will always try to break the pipeline, not just the picture.”

For now this is a proof of concept on jailbroken iPhones. Tomorrow it will be in the wild. Which means now is a great time to learn what you have to do to keep yourself safe so that when the day comes, you’ll be ready.