fruit vs zombies: defeat non-jailbroken ios malware by claud xiao
TRANSCRIPT
![Page 1: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/1.jpg)
Fruit vs Zombies: Defeat Non-jailbroken iOS MalwareClaud XiaoSHAKACON 2016
![Page 2: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/2.jpg)
Who am I
2
• @claud_xiao
• 7 years on Antivirus R&D• Windows, Android, OS X macOS, iOS
• Security Researcher at Palo Alto Networks• WildFire team• Advanced malware research• http://researchcenter.paloaltonetworks.com/author/claud-xiao/
• Interests: hardware hacking, retro gaming, cat…
![Page 3: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/3.jpg)
iOS Malware? Seriously?
3
• FakeTor
• AdThief (SpAd)
• Unflod (SSLCreds)
• Mekir
• Paclsym (Ftuscl)
• Xsser
• AppBuyer
• Juhe
• WireLurker
• CloudAtlas (XAgent)
• Youmi
• Masque
• PawnStorm
• Oneclickfraud
• AppsBg (LockSaveFree)
• KeyRaider
• XcodeGhost
• YiSpecter
• Muda
• TinyV
• AdSage (iBackDoor)
• InstaAgent
• ZergHelper
• WhatsappStealer
• AceDeceiver
• Instealy
• Vpon
RED: Non-jailbrokenItalic: was in App StoreTrojan, Adware, Spyware, Exploit, Backdoor, Riskware, PUP are all included.
2014
2015
2016
![Page 4: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/4.jpg)
4
We are talking Non-jailbroken iOS malware only today.
![Page 5: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/5.jpg)
Lifetime of iOS Malware
5
Produce
• Toolchain Attack• Risky SDKs• Repackaging
Distribute
• Enterprise Dist.• Ad-‐hoc Dist.• App Store• USB Sideload• FairPlay MITM• MDM
Be Evil
• Private APIs• Hot Patching• Hooking• Design Flaws
Profit
• Advertisement• Accounts• App Promotion• User Privacy
![Page 6: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/6.jpg)
To Avoid Confusions
6
• Risky vs Malicious• Many behaviors are not so significantly malicious, but they’re still risky.• We use the term “malware” today but Riskware, PUP, etc. are included.
• In-the-Wild vs Proof-of-Concept• There’re some excellent researches of PoC iOS malware since 2009.• We just consider ITW ones here.
• Interactive vs Automate• Most iOS malware required user interactions (e.g., to be installed/executed).• Phishing / cheating were commonly used.
![Page 7: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/7.jpg)
To Avoid Confusions
7
• Regional vs Worldwide• Many iOS malware affect mainland China.• Some of them still spread around the world.• Some techniques were adopted by more malware families around the world.
• Design Flaw vs Coding Vulnerability• Tons of awesome vulnerabilities were discovered. That’s a big topic.• Vulnerabilities may have been used by unknown advanced malware.• We only discuss “boring” design flaws today.
![Page 8: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/8.jpg)
Massively Produce iOS Malware
8
• By Trojanize the toolchain
• By poison 3rd party libraries
• By repackage pirated apps/games
![Page 9: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/9.jpg)
Trojanize a Compiler
9
• An old idea presented by Ken Thompson in 1983
• 2009: Induc infected Delphi compiler
• 2010: Stuxnet attacked PLC devices toolchain
• How easy to do it in 2010s on Xcode?
![Page 10: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/10.jpg)
Review the XcodeGhost
10
•7 versions•6 months•1 line changing
TrojanizeXcode
•Cloud storage• SEO/Forums•P2P poisoning?
Distribute•CDN failure•Gatekeeper
Infect Mac
•> 4,000 apps•Vulnerability!
Infect Apps•abnormal traffic• C2 server down
Discover
![Page 11: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/11.jpg)
Trojanize a Compiler
11
• Motivation: why developers used Xcode from unofficial sources?
• Mitigation: enable Gatekeeper, check integrity
• Further problems:• Locally infection / compiling time infection• Toolchain doesn’t only include a compiler!
![Page 12: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/12.jpg)
Risky 3rd Party Code
12
• SDKs/libraries are not always transparent to developers
SDK Time Behaviors Techniques Affections
Juhe Oct 2014 Collecting contacts information, IMEI, model, locations, etc. None >= 2
Youmi Oct 2015 Collecting app list, serial number, Apple ID email
Private APIs + encryption > 1,000
AdSage Nov 2015 Remotely control, multiple sensitive functionalities
Private APIs + JavaScript > 2,800
Vpon June 2016 Upload audio, video, screenshot, location, internal files, contacts, etc. Open URL. JavaScript >= 49
![Page 13: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/13.jpg)
Risky 3rd Party Code
13
• Kai Chen et al. Following Devil’s Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS. Oakland’16
![Page 14: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/14.jpg)
Risky 3rd Party Code
14
• Why those SDKs have sensitive/risky code?
• Sandbox isn’t fine grant enough to split app code and 3rd party code• Read/write app’s data• Manipulate app’s code
• Resolve the issue? • Only use well known, trustworthy SDKs/libraires• Review source code and binary code
![Page 15: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/15.jpg)
Repackage Pirated Apps
15
• Most Android malware samples were produced by repackaging.
• Repackage an iOS app for non-jailbroken devices:• For fun: https://github.com/KJCracks/yololib
Decryptapp
•dumpdecrypted•clutch
Add dylib
•init•do evil!
Patch Mach-‐O
•LC_LOAD_DYLIB•fix header
Resign app
•cert•codesign
Redist-‐ribute
•enterprise dist•USB sideload
![Page 16: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/16.jpg)
Repackage Pirated Apps
16
• Examples: TinyV.b aka ImgNaix
• Why will people install pirated apps/games?• “free” apps/games• “free” in-app-purchase items• game cheating• ads-free• “awesome” additional functionalities
![Page 17: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/17.jpg)
Distribute Malware to Devices
17
• Enterprise Distribution
• Ad-hoc Distribution
• App Store
• USB Sideload
• MDM
![Page 18: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/18.jpg)
Enterprise / Ad-hoc Distribution
18
• Deploy internal apps within organization
• To obtain an enterprise certificate• DUNS number + documents + $299• ~ 1.5 bitcoins in “market”• Signing-as-a-Service
• Was also widely used by pirated app markets
![Page 19: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/19.jpg)
Enterprise / Ad-hoc Distribution
19
• WireLurker, YiSpecter, HackingTeam, Oneclickfraud, Tracer
• itms-‐services:// scheme• Ads network• Dedicate websites• Compromised websites• Traffic hijacking• SNS shared HTML files• Embedded in apps• openURL
YiSpecterwas spread by traffic hijacking
![Page 20: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/20.jpg)
Enterprise / Ad-hoc Distribution
20
• Personal development certificate• $99 -> $0• < 100 devices
• ZergHelper• Apply personal cert from Apple in background
![Page 21: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/21.jpg)
Enterprise / Ad-hoc Distribution
21
• Problem Mitigations• Manually confirmation via prompted dialog (< iOS 9) or Settings menu (>= iOS 9.0)
• Revoke abused enterprise certificate• 3 to 7 days OCSP cache• Not immediately effective to all affected devices• Low cost to get another one
• Delete developer ID• Reduce personal certificate valid date
![Page 22: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/22.jpg)
App Store: how to bypass vetting
22
• The only document about the vetting: https://developer.apple.com/app-store/review/guidelines/
• Static? Dynamic? Manually? Automatically?
![Page 23: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/23.jpg)
App Store: how to bypass vetting
23
• Option 1. “Jekyll”
• A novel idea to exploit “backdoor” in your own app by ROP
• “High-tech” for some attackers
• Tielei Wang et al. Jekyll on iOS: When Benign Apps Become Evil. USENIX Security 2013.
![Page 24: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/24.jpg)
App Store: how to bypass vetting
24
• Option 2. Code Obfuscation
• Deal with static analyses during vetting (if there’s any)• reflection• encrypting sensitive strings
• Deal with expert’s manually review (if there’s any, I doubt so)• Obfuscator-LLVM• Identifier Mangling (e.g., ios-class-guard)
• Packers (e.g., Safengine, strong.protect)
![Page 25: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/25.jpg)
App Store: how to bypass vetting
25
• Option 3. Target specific data
• E.g., steal SNS accounts• InstaAgent, Instealy, …• WhatsappStealer
• E.g., FakeTor
Images from: http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/
![Page 26: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/26.jpg)
App Store: how to bypass vetting
26
• Option 4. Environment checking
• Think Apple’s manually review as sandbox such as “Bouncer” by Google.
• Trigger behaviors by:• Geolocation• IP address• Device language• Date• …
![Page 27: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/27.jpg)
App Store: how to bypass vetting
27
• Option 5. Just do it!
• Example: ZergHelper• Many sensitive APIs/strings existed in its code in plaintext!
![Page 28: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/28.jpg)
App Store: how to bypass vetting
28
• Problem Mitigation• Remove the app from App Store
• Not actually removing, but just hiding• Existing users could still install it / update it• Can’t prevent FairPlay MITM
• Lack of remote killing
• More strictly code review?
![Page 29: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/29.jpg)
USB Sideload
29
• “Matcan” attack• Install app via USB cable• Run the app in background
• ITW case: WireLurker, AceDeceiver
• “BackStab” attack
• Mitigation
![Page 30: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/30.jpg)
FairPlay MITM
30
• The FairPlay DRM protocol
App Store User PC w/ iTunes iOS Devices
Purchase app Install app
(1) afsync.rq & afsync.rq.sig
(2) afsync.rs & afsync.rs.sig
![Page 31: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/31.jpg)
FairPlay MITM
31
• Design Flaws• For each Apple ID, only restricted how many (5) PCs/Macs could be authorized, no restriction on how many iPhone could be used.
• DRM protection is only relevant with the app itself – irrelevant with Apple ID, PC, Mac or iDevice
• Rely security on 1) computer authorization;; 2) physical connection between computer and iDevice
• MITM Attack
App Store Attacker Victim PC w/3rd party client
iOS Devices
Transfer authPurchase app Install app
![Page 32: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/32.jpg)
FairPlay MITM: AceDeceiver Case
32
App Store
Win Client
C2 Server
Victim PC iOS DevicesAttacker
1. submit app2. download app & auth
3. embed app
4. deploy auth
5. install client
6. fetch auth
7. FairPlay MITM
8. upload password
![Page 33: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/33.jpg)
FairPlay MITM
33
• How to mitigate it?• Removing from App Store won’t resolve the problem• Fix the design flaws in iTunes? Consider about backward compatible…
![Page 34: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/34.jpg)
Abuse MDM
34
• Much more powerful than enterprise distribution• Remotely installing apps/profiles
• Some may be vulnerable.
• Some has been abused.• E.g., ZergHelper
![Page 35: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/35.jpg)
Do something evil!
35
• Private APIs
• Hot Patching
• Runtime Hooking
• Design Flaws
![Page 36: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/36.jpg)
Abusing Private APIs
36
• Undocumented but exposed APIs
![Page 37: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/37.jpg)
Abusing Private APIs
37
• Capabilities (some are unavailable in recent iOS versions)• Install or uninstall apps• Get list of installed apps, running apps, front most app• Launch an installed app• Send/receive SMS• Make phone call, monitor incoming phone call• Get device ID, Apple ID, ad ID• Take photo• ……
![Page 38: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/38.jpg)
Abusing Private APIs
38
• Mitigations• Re-design sensitive resources’ handling mechanisms• Remove unnecessary APIs• Require entitlements to access sensitive APIs
![Page 39: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/39.jpg)
Hot patching
39
• Code downloading/loading/updating are disallowed by Apple.
• Bypassed by scripts (JavaScript, Lua, etc.) + Method Swizzling• Like ROP, scripts act as data to drive code execution
• Hot patching frameworks: JSPatch, waxPatch
• Could be abused to implement:• remotely controlling• sensitive code hiding• two stages attacking: loader + payloads
![Page 40: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/40.jpg)
Runtime Manipulations
40
• Based on repackaging• Won’t affect original apps’ executing
• Cycript, CaptainHook, etc. Or customized hooking code.
• Manipulate apps’ code, access their data
• All-in-one for fun: https://github.com/Urinx/iOSAppHook
![Page 41: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/41.jpg)
More Runtime Manipulation
41
• Case: Tracer (aka Killmob)• Commercial Spyware for jailbroken devices since July 2013• Repackaged into Facebook, Skype, Whatsapp, Telegraph, WeChat, etc. at Mar 2015 to affect non-jailbroken devices
• Exploit Masque vulnerability (1-day)• Runtime hook chatting app’s APIs to steal chatting history
![Page 42: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/42.jpg)
Design Flaws
42
• Collision of some things that supposed to be unique:• “Masque” vulnerabilities: bundle ID of apps, plugins, extensions, itms-‐services• URL hijacking: URL scheme
• IPC• URL scheme hijacking• Cross-app resource access attack
• Luyi Xing et al. Unauthorized Cross-App Resource Access on MAC OS X and iOS
![Page 43: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/43.jpg)
Make Profit
43
• Advertisement
• Account/Credentials
• App Promotion
• Privacy Data
![Page 44: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/44.jpg)
Review the Approaches
44
Produce
• Toolchain Attack• Risky SDKs• Repackaging
Distribute
• Enterprise Dist.• Ad-‐hoc Dist.• App Store• USB Sideload• FairPlay MITM• MDM
Be Evil
• Private APIs• Hot Patching• Hooking• Design Flaws
Profit
• Advertisement• Accounts• App Promotion• User Privacy
![Page 45: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/45.jpg)
Take Away I
45
• Malware (especially on iOS) is NOT necessarily to be• dedicated• small size• malicious functionalities only• transparent to victims• non-interactive with victims• spread automatically• developed by individuals• designed to attack everyone• …
![Page 46: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/46.jpg)
Take Away II
46
• Practical & low tech methods to produce, distribute, attack and profit
• Some techniques have been mitigated;; some haven’t yet or even won’t be.
• Discover more malware by studying motivations, ecosystems and implementations
![Page 47: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/47.jpg)
Security Suggestions
47
• Avoid installing apps from any third party or signed by untrusted certificates.
• Keep iOS system update to date.
• Protect PC and Mac computers by proper security products.
• Protect the network you’re using by proper security products.
• For developers:• Protect your compiling server/PC• Check toolchain integrity• Use well known, trustworthy 3rd party SDKs. Download them from official websites.• Perform code auditing to source code AND binary code of your products.
![Page 48: Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao](https://reader034.vdocuments.net/reader034/viewer/2022051520/588310e41a28ab31068b5695/html5/thumbnails/48.jpg)
Mahalo! Thank you!
48
• Special thanks to:• Ming Zheng (@SparkZheng)• CDSQ (@wecdsq)• Zhaofeng Chen• Ryan Olson (@ireo), Zhi Xu, Richard Wartell, and all team members of WildFire, IPS, GSRT, Unit 42 at Palo Alto Networks