Malware wellbeing on iOS devices Dmitry Evdokimov R&D head Digital Security
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
#whoami • Information security researcher at Digital Security
• Column editor at Xaker magazine
• One of the organizers of DEFCON Russia and ZeroNights
• Main field of interest is finding vulnerabilities in binary applications with no source code
• Analysis of iOS, Android and WindowsPhone mobile applications.
• Speaker at conferences in Poland, France, Spain, Germany, Arab Emirates, Mexico
2
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Agenda
• iOS Security
• Malware for iOS devices – With Jailbreak
– Without Jailbreak
• Approaches/techniques used by malware
• Summary
3
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
iOS Security • Application check by Apple
• Code signature – X.509v3 certificate + identity confirmation
– W^X
• Sandbox (Seatbelt) – /var/mobile/Applications/<app-GUID>/
– /var/mobile/Containers/Bundle/Application/
• No access to other processes
• Absence of direct access to hardware
• Impossible to generate code dynamically
• Privilege segregation – Applications with mobile privileges + Entitlements
4
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Software/malware distribution for iOS • AppStore
– Signed by distribution certificate
– Passes App Review
• TestFlight (AppStore)
– Signed by distribution certificate
– With beta entitlement its available for 1000 users
– Passes Beta App Review
• Personal certificate
– Can be installed only on one device with no distribution allowed without being checked by Apple.
• Ad Hoc distribution
– Signed by developer certificate
– Not more than 100 devices that were specified beforehand – need to know UUID
– No code checks on behalf of Apple
• In-House distribution
– Signed by enterprise certificate
– No code checks on behalf of Apple
5
Cod
e m
ust b
e s
ign
ed
!
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Jailbreak Jailbreak – is the process of removing limitations implemented by Apple on its devices by means of exploits.
– Tethered
– Untethered
Consequences: – Possibility to access file system
– Sandbox restrictions bypassing
– Run of unsigned apps
JB: PwnageTool, redsn0w, purplera1n, Spirit, JailbreakMe, Absinthe, evasi0n, Pangu, TaiG
People: iPhone Dev Team, Chronic Dev Team, George Hotz, comex, pod2g, evad3rs + saurik, Pangu team
6
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
With jailbreak • iKee and Duh (November 2009) – infecting via default OpenSSH password
• AdThief/Spad (March & August 2014) – stealing payments for advertisement
• Unflod (April 2014) – Stealing Apple ID and password
• AppBuyer (September 2014) - Stealing Apple ID and password to buy applications
• Xsser mRAT (December 2014) – getting and executing commands with C2, collecting data
• KeyRaider (August 2015) – stealing Apple ID and password
• XAgent (February 2015) – hidden work in the background, collecting data
Were getting into devices from third party sources (Cydia etc.) or by social engineering.
Are in the basis of Cydia Substrate.
7
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Remote Jailbreak • Price at the black market > 1.000.000 euro
• Comex already did something like this – JailbreakMe website
– Was enough to enter to the website
8
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Pegasus Spyware • Commercial development
– NSO Group
• 3 vulnerabilities (Trident) – iOS 7 artefacts (2013 year)
– Patched iOS 9.3.5
• Targeted attack – ~ 25.000$
• Extensive functionality – Data Gathering
– Interception of Calls and messages
– Real-Time Espionage
9
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Device attack vectors without JB • «Malware gift»
• Via infected PC
• Couple of seconds in somebody else’s hands
• «One’s own Pinocchio»
• Hacked developer
• Insider
• Via application vulnerability
• Thanks to a vulnerability iOS
10
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Malware capabilities in sandbox • Using private API
– Installing and deleting applications and more
• Malicious access to contacts, calendars, etc.
• Malicious access to geolocation
• Critical/confidential data leakage
• Social engineering execution – Fishing
• Corruption of other applications
• Uploading unchecked Apple code
• Jailbreak execution
• … 11
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Without jailbreak • From AppStore
– ZergHelper
• Using enterprise certificate – WireLurker, Oneclickfraud, YiSpecter, TracerPlus, TinyV
• “hacked” developer – XcodeGhost (infected Xcode 7)
• Exploiting technology vulnerability by Apple – AceDeceiver
• And many other: Tories, LBTM, iSAM, FinaAndCall , InstaStock, CarrierIQ, Jekyll, FakeTor, …
12
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
WireLurker • Attacks at Mac OS and iOS systems
• Initiating iOS from infected PC via USB
• Using repackaging of installed applications
• First malware that used enterprise certificate
13
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
ZergHelper
• Application “开心日常英语 (Happy Daily English)” – Learning English language
– In fact it’s a shop of pirate applications =)
• Distribution via AppStore + App Review bypass
• Utilizing enterprise and personal certificate to sign and install other applications
• Dynamic code updating – wax framework – wrighting to Lua for iOS
14
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
AceDeceiver • App Review bypassing
– As it was in case of ZergHelper depending on geolocation
• Installing application without informing user – Doesn’t use enterprise certificate
– Can be installed via infected PC
– Exploits Apple DRM vulnerability
• “FairPlay Man-In-The-Middle (MITM)” technique
• Known since 2013
• The technique is still working
15
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Additional opportunities/ Private API • Using private API
– Additional functional possibilities
• Communication with surrounding cervices (as, for example, mach-ports)
• Enlarging attack surface to execute device jailbreak
• Important!: Code signature -> Apple certificate -> entitlements are coded in the certificate -> Can work with private API within entitlements
16
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Repacking application -> malware 1. Downloading legitimate application
2. Unpacking application
3. Adding malicious dylib
4. Resigning the application with a legitimate certificate
5. Installing to a victim
• All already authorized in su-a-cyder tool – Theos-Jailed and fastlane is in the basis
17
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
"Masque” vulnerability • Allowed replacing installed applications with those signed by enterprise certificate while
updating a device to access application contents – Collision inside application’s bundle ID
– Fixed by Apple - doesn’t work in iOS versions > 8.3
• SandJacking – “Masque” reincarnation
– Application replacement happens in backup and is applied while restoring to a device
– The vulnerability is currently still not fixed by Apple
18
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Application downgrading attack
• Apple keeps all application version
• Download and install outdated application version from the AppStore
– Including applications with critical data leakage
– Including application versions that have no obfuscation
– Including vulnerable application versions
– …
• Attacker uses weakness for personal gain
19
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
All your traffic belongs to us • Malicious VPN
– Legitimately intercepting all network traffic
• AdThief idea + vpn functionality = $$$
• "What’s New in Network Extension and VPN", WWDC15
20
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Dynamically uploaded/updated code
• Just need an interface from script language to Оbjective-C
• JSPatch – JavaScript interface for Objective-C – There are multiple others …
• Hard to identify/block unnecessary functionality, that’s not in the code;)
1. Connecting #import "JPEngine.h"
2. Initializing[JPEngine startEngine]
3. Executing JS [JPEngine evaluateScript:script]
21
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Useful links • “iOS Malware”, Claud Xiao
• “Червивые яблочки [БЕЗ JailBreak]”, Dmitry Evdokimov
• “Who’s Breaking into Your Garden”, Claud Xiao
• “SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$!”, Chilik Tamir
• "SandJacking: Profiting from iOS Malware", Chilik Tamir
• "Fruit vs Zombies: Defeat Non-jailbroken iOS Malware“, Claud Xiao
22
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Recomendaitons • Do not install applications from third party sources
• Do not connect devices to untrusted systems
• Update Operating Systems
• Control device profiles (Settings-> Main -> Profiles)
• Keep your certificates somewhere safe (for developers)
• Keep track of the code that’s written for in-house distribution (for customers)
23
Malware wellbeing on iOS devices
© 2002—2016, Digital Security
Summary • There are many scenarios of how one can infect devices
• One can bypass Apple’s App Review process
• No Jailbreak and fresh OS doesn’t guarantee device safety
• The fact that a code is signed doesn’t mean that new, suspicious code will not appear at some point
• Malicious code strives to simulate legitimate code
• Amount of iOS malicious code modifications will keep on growing
24
[email protected] @evdokimovds
Digital Security in Moskow: (495) 223-07-86 Digital Security in Saint-Petersburg: (812) 703-15-47
Thanks! Any questions?
25