Is this a false positive?.. Google/gmail malware alert for iOS devices

[hockeyAAA]

Basically google emailed me saying my iPad has suspicious activity that could be malware, same warnings on other apple devices (include on a brand new iPhone) whenever I try to sign into my main google/gmail account.

 

Yesterday, I got an email for my gmail/google account saying "Suspicious activity in your account", "Someone might have accessed your Google Account using harmful malware on one of your devices. You’ve been signed out on that device for your protection." and it says the threat is coming from my iPad. So I change my password and it logs me out of my iPad. I believe if I had anything to do with causing this, it was because I was typing in a URL on the iPad a couple days ago where I made a typo and it opened up the Apple TV app, which I thought was odd but didn't think too much of it. (Could this be what caused it?)

Not sure if this is relevant but today, I was trying to setup my new iPhone with an iCloud backup and it was not going smoothing at all. Very slow and seemed stuck on downloading the apps. I tried to cancel the backup and any apps that were not yet downloaded I couldn't download manually as it only showed the rectangular 'stop' icon that was unclickable. I updated to the latest iOS and restarted my phone and that seemed to do the trick.

However, when trying to log into my google account on any of my Apple devices (old iphone, new iphone and iPad) I get the same message on each:

"You've been signed out or your protection" "We detected suspicious activity, which shows that there may be malware on this device..." And it says to scan device for malware with software of my choice.

And something perhaps noteworthy, this is only happening for my primary google/gmail account but not the random gmail accounts I use for junk. It lets me login into those on iOS without the warning.

So what should I do? I've been afraid to do anything important on any of those devices. Thanks for reading and helping.

 

[David H. Lipman]

A lot of scammers will use such language.  What will identify if this is real of a scam is the Full Headers of the email.  Please tread the following on how to extract the Raw Email Headers and Body.

Gmail: View Email Headers

Copy and Pastes the Raw Email Headers and Body in to Text file and attach the Text file in a ZIP Archive file (or RAR or 7zip) and we can examine the raw email and determine its validity.

Edited December 21, 2022 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[hockeyAAA]

Hello, thanks for responding. Sure I can do that, but I'm basically 100% sure it's a real message from Google because I get a message when I try to login to Google from my iOS devices independently, and also the Security tab on the Google Account page is showing 'suspicious app detected' (refers by name to my iPad), so it's all consistent. So is that process still necessary?

[David H. Lipman]

It won't hurt and and it will give you the impetus to to take affirmative action

 

[hockeyAAA]

Ok thanks. Sorry for the delay, here is the zip attached as you asked. Something else I just realized, if I use Private Browsing (safari) or Incognito (chrome) it doesn't give me the "You've been signed out for your protection" page after the Gmail submission page. And again, it's only happening for my primary email...  I'm not noticing any battery drain or slow down or any unusual apps activity, no new downloads, and my new phone is working normally. It seems the lag there was due to the iCloud backup setup.

 

What do you Is your sense so far that this is a false positive? What do you make of this notification occurring across iOS devices despite google only notifying via email the iPad as potentially containing malware and under the Security tab of the Google Account page? Why wouldn't my other Gmail accounts also be notified if they are also being used on the same iOS devices?

Also should I cross-post my original thread to other applicable subforums here?

emailheader.zip

[David H. Lipman]

The email looks to b e legitimate and can be related only to Google and not the device(s) accessing said account.

I suggest following the directions and changing the account password and make sure it is Strong Password.

 

Edited December 22, 2022 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[hockeyAAA]

I did change my password after I got that email notification. Are you referring to the directions from Google?

[David H. Lipman]

Yes.

[hockeyAAA]

Ok thanks. They say to scan for malware but my understanding is that this is not possible on iOS devices due to Apple's policies and setup? Also should I be concerned? False positive?

[David H. Lipman]

I don't know.  It depends on the information that lead them to issue said email.

That information is not in the email and may be something that google provides in some format subsequent to your login based upon the notification.  If Google does not provide supporting information then just take note and move on.

[hockeyAAA]

Ok, thanks for all your help

[David H. Lipman]

 

[treed]

Just to add to what David said, there really isn't any way to scan your iPad for malware, and it's quite unlikely for it to be infected with any malware unless one of the following is true:

1) You have jailbroken it

2) You may be a target of an oppressive nation-state, due to activist or journalist activities you've participated in, or due to being a member of a particular oppressed group. (For example, being one of the Uyghur people in China, or someone who investigates and reports on China's treatment of the Uyghurs.)

If neither of those is true, it's likely that this is an error on the part of Google. False positives with Apple devices are not uncommon for internet service providers or other large organizations trying to identify malicious behavior in network activity.