malware wellbeing on ios - dsec.ru · pdf filemalware wellbeing on ios devices ©...

Malware wellbeing on iOS

devices Dmitry Evdokimov

R&D head

Digital Security

Malware wellbeing on iOS devices

© 2002—2016, Digital Security

#whoami • Information security researcher at Digital Security

• Column editor at Xaker magazine

• One of the organizers of DEFCON Russia and ZeroNights

• Main field of interest is finding vulnerabilities in binary applications with no source code

• Analysis of iOS, Android and WindowsPhone mobile applications.

• Speaker at conferences in Poland, France, Spain, Germany, Arab Emirates, Mexico

2



Agenda

• iOS Security

• Malware for iOS devices – With Jailbreak

– Without Jailbreak

• Approaches/techniques used by malware

• Summary

3



iOS Security • Application check by Apple

• Code signature – X.509v3 certificate + identity confirmation

– W^X

• Sandbox (Seatbelt) – /var/mobile/Applications/<app-GUID>/

– /var/mobile/Containers/Bundle/Application/

• No access to other processes

• Absence of direct access to hardware

• Impossible to generate code dynamically

• Privilege segregation – Applications with mobile privileges + Entitlements

4



Software/malware distribution for iOS • AppStore

– Signed by distribution certificate

– Passes App Review

• TestFlight (AppStore)

– Signed by distribution certificate

– With beta entitlement its available for 1000 users

– Passes Beta App Review

• Personal certificate

– Can be installed only on one device with no distribution allowed without being checked by Apple.

• Ad Hoc distribution

– Signed by developer certificate

– Not more than 100 devices that were specified beforehand – need to know UUID

– No code checks on behalf of Apple

• In-House distribution

– Signed by enterprise certificate

– No code checks on behalf of Apple

5

Cod

e m

ust b

e s

ign

ed

!



Jailbreak Jailbreak – is the process of removing limitations implemented by Apple on its devices by means of exploits.

– Tethered

– Untethered

Consequences: – Possibility to access file system

– Sandbox restrictions bypassing

– Run of unsigned apps

JB: PwnageTool, redsn0w, purplera1n, Spirit, JailbreakMe, Absinthe, evasi0n, Pangu, TaiG

People: iPhone Dev Team, Chronic Dev Team, George Hotz, comex, pod2g, evad3rs + saurik, Pangu team

6



With jailbreak • iKee and Duh (November 2009) – infecting via default OpenSSH password

• AdThief/Spad (March & August 2014) – stealing payments for advertisement

• Unflod (April 2014) – Stealing Apple ID and password

• AppBuyer (September 2014) - Stealing Apple ID and password to buy applications

• Xsser mRAT (December 2014) – getting and executing commands with C2, collecting data

• KeyRaider (August 2015) – stealing Apple ID and password

• XAgent (February 2015) – hidden work in the background, collecting data

Were getting into devices from third party sources (Cydia etc.) or by social engineering.

Are in the basis of Cydia Substrate.

7



Remote Jailbreak • Price at the black market > 1.000.000 euro

• Comex already did something like this – JailbreakMe website

– Was enough to enter to the website

8



Pegasus Spyware • Commercial development

– NSO Group

• 3 vulnerabilities (Trident) – iOS 7 artefacts (2013 year)

– Patched iOS 9.3.5

• Targeted attack – ~ 25.000$

• Extensive functionality – Data Gathering

– Interception of Calls and messages

– Real-Time Espionage

9

https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf



Device attack vectors without JB • «Malware gift»

• Via infected PC

• Couple of seconds in somebody else’s hands

• «One’s own Pinocchio»

• Hacked developer

• Insider

• Via application vulnerability

• Thanks to a vulnerability iOS

10



Malware capabilities in sandbox • Using private API

– Installing and deleting applications and more

• Malicious access to contacts, calendars, etc.

• Malicious access to geolocation

• Critical/confidential data leakage

• Social engineering execution – Fishing

• Corruption of other applications

• Uploading unchecked Apple code

• Jailbreak execution

• … 11



Without jailbreak • From AppStore

– ZergHelper

• Using enterprise certificate – WireLurker, Oneclickfraud, YiSpecter, TracerPlus, TinyV

• “hacked” developer – XcodeGhost (infected Xcode 7)

• Exploiting technology vulnerability by Apple – AceDeceiver

• And many other: Tories, LBTM, iSAM, FinaAndCall , InstaStock, CarrierIQ, Jekyll, FakeTor, …

12



WireLurker • Attacks at Mac OS and iOS systems

• Initiating iOS from infected PC via USB

• Using repackaging of installed applications

• First malware that used enterprise certificate

13

http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/



ZergHelper

• Application “开心日常英语 (Happy Daily English)” – Learning English language

– In fact it’s a shop of pirate applications =)

• Distribution via AppStore + App Review bypass

• Utilizing enterprise and personal certificate to sign and install other applications

• Dynamic code updating – wax framework – wrighting to Lua for iOS

14

http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/

https://github.com/alibaba/wax



AceDeceiver • App Review bypassing

– As it was in case of ZergHelper depending on geolocation

• Installing application without informing user – Doesn’t use enterprise certificate

– Can be installed via infected PC

– Exploits Apple DRM vulnerability

• “FairPlay Man-In-The-Middle (MITM)” technique

• Known since 2013

• The technique is still working

15

http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/



Additional opportunities/ Private API • Using private API

– Additional functional possibilities

• Communication with surrounding cervices (as, for example, mach-ports)

• Enlarging attack surface to execute device jailbreak

• Important!: Code signature -> Apple certificate -> entitlements are coded in the certificate -> Can work with private API within entitlements

16



Repacking application -> malware 1. Downloading legitimate application

2. Unpacking application

3. Adding malicious dylib

4. Resigning the application with a legitimate certificate

5. Installing to a victim

• All already authorized in su-a-cyder tool – Theos-Jailed and fastlane is in the basis

17

https://github.com/Mi3Security/su-a-cyder







"Masque” vulnerability • Allowed replacing installed applications with those signed by enterprise certificate while

updating a device to access application contents – Collision inside application’s bundle ID

– Fixed by Apple - doesn’t work in iOS versions > 8.3

• SandJacking – “Masque” reincarnation

– Application replacement happens in backup and is applied while restoring to a device

– The vulnerability is currently still not fixed by Apple

18



Application downgrading attack

• Apple keeps all application version

• Download and install outdated application version from the AppStore

– Including applications with critical data leakage

– Including application versions that have no obfuscation

– Including vulnerable application versions

– …

• Attacker uses weakness for personal gain

19



All your traffic belongs to us • Malicious VPN

– Legitimately intercepting all network traffic

• AdThief idea + vpn functionality = $$$

• "What’s New in Network Extension and VPN", WWDC15

20

https://developer.apple.com/videos/play/wwdc2015/717/



Dynamically uploaded/updated code

• Just need an interface from script language to Оbjective-C

• JSPatch – JavaScript interface for Objective-C – There are multiple others …

• Hard to identify/block unnecessary functionality, that’s not in the code;)

1. Connecting #import "JPEngine.h"

2. Initializing[JPEngine startEngine]

3. Executing JS [JPEngine evaluateScript:script]

21

https://github.com/bang590/JSPatch

https://github.com/bang590/JSPatch



Useful links • “iOS Malware”, Claud Xiao

• “Червивые яблочки [БЕЗ JailBreak]”, Dmitry Evdokimov

• “Who’s Breaking into Your Garden”, Claud Xiao

• “SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$!”, Chilik Tamir

• "SandJacking: Profiting from iOS Malware", Chilik Tamir

• "Fruit vs Zombies: Defeat Non-jailbroken iOS Malware“, Claud Xiao

22

https://github.com/secmobi/slides/blob/master/2015.iOSMalware_Ignite.pdf

https://habrahabr.ru/company/dsec/blog/256407/




https://github.com/secmobi/slides/blob/master/2016.AppleMalware_BsidesSF.pdf

https://www.blackhat.com/docs/asia-16/materials/asia-16-Tamir-Su-A-Cyder-Homebrewing-Malware-For-iOS-Like-A-B0SS.pdf






http://conference.hitb.org/hitbsecconf2016ams/materials/D1T2 - Chilik Tamir - Profiting from iOS Malware.pdf



https://github.com/secmobi/slides/blob/master/2016.NonjailbrokeniOSMalware_Shakacon.pdf






Recomendaitons • Do not install applications from third party sources

• Do not connect devices to untrusted systems

• Update Operating Systems

• Control device profiles (Settings-> Main -> Profiles)

• Keep your certificates somewhere safe (for developers)

• Keep track of the code that’s written for in-house distribution (for customers)

23



Summary • There are many scenarios of how one can infect devices

• One can bypass Apple’s App Review process

• No Jailbreak and fresh OS doesn’t guarantee device safety

• The fact that a code is signed doesn’t mean that new, suspicious code will not appear at some point

• Malicious code strives to simulate legitimate code

• Amount of iOS malicious code modifications will keep on growing

24

[email protected] @evdokimovds

Digital Security in Moskow: (495) 223-07-86 Digital Security in Saint-Petersburg: (812) 703-15-47

Thanks! Any questions?

25

mailto:[email protected]

malware wellbeing on ios - dsec.ru · pdf filemalware wellbeing on ios devices ©...

Documents