While exploring the file system on a jailbroken iPhone 6s, I stumbled upon an interesting folder:
/var/mobile/Containers/Data/Application/5FEABFA4–7F9E-4DB7–9254-CB4C6C3F9A3A/Library/Application Support/{{InstagramUserId}}/com.instagram.IGDWellBeingDatabase/
Inside of this folder there was an SQLite database that included a “url_blackhole” table with 4629 entries.
There are were a total of 4629 unique url_chunks classified under 4 violation types:
- CYBERSECURITY_PHISHING_FOA (likely Foreign Origin Actor) — 4370 url_chunks
- CYBERSECURITY_GREYWARE_OR_SPYWARE — 239 url_chunks
- CYBERSECURITY_UNCATEGORIZED — 13 url_chunks
- PHISHING — 7 url_chunks
Attempting to visit any of these urls inside of Instagram, such as by clicking on the link in a direct message, presented multiple warnings:
The most common top level domain used for these urls is t.co, the url shortener created by Twitter, and still used by X.
Top Domains by Volume
t.co — 1571
tinyurl.com — 179
is.gd — 170
tr.ee — 108
linktr.ee — 101
shorten.is — 71
shorturl.at — 64
shorten.ee — 56
bit.ly — 52
cutt.ly — 48
goo.su — 45
s.mkswft.com.storage.googleapis.com — 41
pagina.pro — 31
bom.so — 28
cdn.videy.co — 26
Most were url redirectors, but for some reason s.mkswft.com.storage.googleapis.com stuck out to me.
Most of the links using that route were no longer working, but at least one was currently active:
Trying to visit this link inside Instagram failed as the site’s security certificate was invalid. The webview browser and the external phone browser both threw certificate errors. I did the safe thing of bypassing those errors and landed at a fake virus page with a Google logo (hence the use of storage.googleapis.com).
Clicking repair will then take you to a live app in the Apple App store.
The next step would be downloading that app and reverse engineering it on a completely wiped jailbroken device that is running on a guest wifi network. I’ll have to save that research for another day.