Mobile Triage Lab · Rolling Thunder Security

Scenario

You're a SOC analyst at Heliotrope Defense Systems. A user, Marcus Reyes, comes to the help desk: "my iPhone has been acting really weird the past two days. The battery is dying by lunch, I'm getting random pop-ups, and my email is sending things I didn't write."

Marcus is enrolled in the company's BYOD program with User Enrollment. Walk through the triage tree below and reach a verdict.

Reported symptoms

Battery drain — phone goes from 100% at 7am to dead by noon. New behavior; started two days ago.

Random pop-ups — advertising banners in apps that didn't have them before. Also in Safari.

Email sending unauthorized messages — recipients in his contacts reported receiving links from him.

Phone heat — warm in the pocket even when not actively used.

No obvious app crashes — everything still "works," just badly.

Triage checklist

Check installed configuration profiles

Settings → General → VPN & Device Management

Found: One profile labeled "FastSocialBoost MDM" issued by fastsocialboost-cdn.io. Marcus says he installed it about a week ago "to get free Instagram followers."

This is an attacker-controlled MDM profile. Once installed, it can push malicious apps, intercept traffic via a custom VPN, and exfiltrate data. This is almost certainly the answer.

Check installed apps

Settings → General → iPhone Storage

Found: Three unfamiliar apps: FastBoost, InstaTracker Pro, NetGuard Optimizer. None from the App Store via Marcus's normal Apple ID purchases.

These were pushed by the malicious MDM profile. They have permissions Marcus probably granted at install (notifications, network access, contacts).

Check VPN configuration

Settings → VPN & Device Management

Found: An always-on VPN routing all traffic through vpn.fastsocialboost-cdn.io. Marcus didn't configure this.

All of his network traffic, including email, is being intercepted. This is how his email is sending messages he didn't write — the VPN endpoint can inject requests through his authenticated session.

Check battery usage

Settings → Battery

Found: FastBoost is consuming 47% of battery, mostly in "background activity." Phone is reporting "this app uses significant power."

Confirms the apps are running in the background. The heat and battery drain are explained by constant background activity (likely tracking, ad fraud, or click-injection).

Check jailbreak indicators

In-app jailbreak detection or visual inspection

Found: No. No Cydia, no Sileo, no unusual filesystem behavior. The phone is not jailbroken.

Why this matters: a non-jailbroken phone with a malicious MDM profile is the easier scenario. Removing the profile + the pushed apps largely cleans the device. A jailbroken phone requires a full restore.

Check Apple ID activity

appleid.apple.com or Settings → Apple ID

Found: No unexpected device sign-ins. Marcus's Apple ID is intact. The attack didn't escalate to credential compromise.

Check company app enrollment

Settings → General → VPN & Device Management

Found: Heliotrope's User Enrollment is still present and intact. The malicious profile installed alongside it but did not interfere with the corporate-managed apps (they're sandboxed separately).

The corporate email app's traffic, however, still went through the malicious VPN. Treat any company credentials Marcus typed into apps on this device as potentially compromised.

What's actually going on?

Response plan

Once the verdict is clear, the actions follow:

Immediate: remove the FastSocialBoost MDM configuration profile. iOS will automatically uninstall the apps pushed by that profile.
Network: remove the rogue VPN configuration. Verify no other VPNs are configured.
Credentials: rotate Marcus's corporate password (email + SSO + anything else accessed from the device while compromised). Treat his MFA-from-mobile as suspect for the past two days.
App audit: review any apps installed in the past week. Anything from a non-Apple-ID purchase is suspect; remove.
Storage clean: clear Safari history, cookies, and website data. Reset advertising identifier.
Optional but recommended: a full reset of the device via Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. Restore from iCloud backup from before two days ago. This is the highest-confidence cleanup.
Education: talk with Marcus about how the "free Instagram followers" service worked — not to shame, to inform. He'll be the one who tells the rest of the team not to do it.
Detection update: push an MDM policy to all enrolled BYOD devices that prohibits installing non-Apple configuration profiles. This is the closing-the-barn-door step that prevents the next user from making the same mistake.

The point

Real mobile incidents are much more often the FastSocialBoost case than the Pegasus case. A user installed something they shouldn't have, granted permissions they didn't understand, and the device is now compromised at the configuration layer rather than the OS layer.

The triage tree is short and reliable: check profiles, check apps, check VPN, check battery usage, check jailbreak, check Apple ID, check enterprise enrollment. Most cases land in step 1 or step 3. The cleanup is procedural. The hard part is teaching users to recognize the bait before they install anything.