Apple Inc. has released a new update for iOS devices that patches a flaw in its Safari browser that allowed hackers to execute a “scareware” campaign designed to trick people into buying unnecessary antivirus software.

First discovered by mobile security firm Lookout Inc., the vulnerability allowed nefarious actors to abuse the pop-up dialogs in Safari in a away that it would lock out users from accessing the browser. Once a user was blocked from web surfing, a message would appear demanding that the victim pays money in the form of an iTunes gift card to have control returned, complete with threatening messages.

Lookout told SiliconANGLE via email that the attack used the app sandbox of the Safari browser with no exploit code. The app sandbox is a standard feature on both iOS and macOS that provides access control authority intended to contain damage to the system and user data if an app becomes compromised.

In a separate blog post, the company noted that the scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com. The attackers apparently named it with the intent of scaring users looking at certain types of material on the Internet, such as pornography or illegal music downloads, into paying money.

Surprisingly, overcoming a hijacked browser is as simple as clearing the cache:

Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

The other alternative is to download iOS 10.3, which includes a patch that prevents these sorts of attacks happening to begin with.

Image: Lookout