iOS malware: what's the risk and how to reduce it

C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.
iOS malware : what’s the risk and how to reduce it
Julien Bachmann
Expert Security Researcher
@milkmix_

3©2016 KUDELSKI GROUP / All rights reserved.
2010 2011 2012 2013 2014 2015
SOME HISTORY ON BANKING MALWARE
Zeus
SpyEye
Carberp
HesperBot
Android.iBanking
Android.BankBot
Android.bankosy

Only an Android problem right?
• Two facts to consider
• iOS malware is a real thing, even if less widespread now
• If you are using iOS in your enterprise you might be at risk
src: Verizon DBIR 2015

Some history on iOS malware
2009 2012 2014 2015 2016
iKee (ssh)
Find and Call
AdThief
Unflod
WireLurker
XcodeGhost
YiSpecter
Muda
ZergHelper
AceDeceiver
Trident

Applications installation
• Limited number of installation paths
• Closed platform well restricted by Apple
• Only authorized methods controlled by Apple on non-jailbroken device

AppStore
AdHoc / self signed
In House
3rd party stores (jailbreak)

• AppStore
• Require Developer certificate
• Applications are reviewed
• In House
• Common method for enterprise applications
• Require Enterprise Developer account
• Require Provisioning profile installed on device
• Ad Hoc
• Used during development
• Limited to 100 devices with provisioned UDID
• Self signed
• New with iOS 9 and Xcode 7, sign for personal devices

• The jailbroken case
• Several advantages while jailbreaking a device
• Allows to validate security of applications
• But disable code signing validations
• Allows installing applications from untrusted sources

Applications restrictions
• Limitations put in place by Apple
• Applications running in a sandbox
• Seat-Belt
• Limited access to filesystem and resources
• Applications are isolated from one another
• Requested accesses validated on the AppStore
• Some limitations may apply…

How devices are infected?
• Mostly spear-phishing
• Lure users into installing malicious application
• Download link in emails / messages
• Used it before in phishing campaign for customer : ~10%
• No exploits and watering hole?
• Exploitation of software vulnerabilities through the browser
• Possible and seen but remote code execs to drop malware are expensive
and complex on iOS
• Pegasus/Trident attack

• Pegasus / Trident
1. WebKit vulnerability
2. Kernel infoleak
3. Kernel memory corruption
4. Another JS related vulnerability to persist

• Traffic injection
• From the public news, most cases currently in Asia
• DNS redirects in China
• Attacks on mobile devices through fake eNodeB
• Physical attacks
• Through MobileDevice framework on USB/WiFi
• AirDrop software flaws
• Code injection
• Ex. JSPatch

• Physical attacks
• Through MobileDevice framework on USB/WiFi

Code signing?
• Phishing is not enough
• Code signing still performed by iOS
• Except on jailbroken devices or if software vulnerability gets exploited
• Ad Hoc
• Too complicated, requires UDID
• Leaks in the past years, limited now with Apple restrictions
• Potentially on very targeted attacks
• Enterprise Developer Certificate
• User validation
• Certificate can be easily revoked by Apple upon detection

Code signing?
• Enterprise Developer Certificate

Code signing?
• A few months in the news
• “Malware bypassing Apple code signing mechanism”
• AceDeceiver
• Truth (explanation w/o the hype)
• Still requires to be published and accepted by Apple at least once in one of
the stores (US, CH, CN, …)
• Can use geolocation of incoming IP addresses to enable/disable features in
the code
• Possible to exploit design flaw in the validation process when installing from
iTunes on Mac/PC
• Allows to install the malware from Mac/PC even if certificate revoked

Code signing?
http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

AppStore permissions
• Audio recording
• Easily performed through the API
• When in background applications are preempted by iOS
• Except if defined as background application
• Ribbon displayed to the user
• Keylogging
• Since iOS8 : extensions (keyboard, browser filtering, …)
• Isolated from standard application so no access to Internet or files…
• … except if requested

Keylogging from the appstore
• User’s validation

Private API
• In the news

Sandbox is limiting actions right?
• Entitlements
1. Developers should specify entitlements at compilation
• http://newosxbook.com/ent.jl
2. Validated by the AppStore
3. Some additional rights for selected partners
4. Enforced on device by seat-belt
• Private API
• Forbidden by Apple in the guidelines
• Still requires entitlements to access data due to sandbox
• Does not break applications isolation principle
• Would require to elevate privileges to do so
• Or flaws in the private APIs validation mechanism (Stefan Esser app)
• Difficult to detect with automated analysis (static and dynamic)

• Entitlements

• Listing private APIs functions
• Nicolas Seriot online list
• Using classdump-dyld on a jailbroken device
• Calling private APIs
• Can be called directly
• Through dynamic loading
• dlopen / dlsym
• Using Objective-C reflection property

• Listing private APIs functions

• When linked
• Objective-C reflection

The In house case
• Entitlements
• Defined at compilation
• Not validated by Apple outside of the AppStore flow
• As seen allows to use more sensitive Private API functions
• Offers more possibilities
• CoreTelephony framework
• Notifications on calls or messages
• IMSI / IMEI retrieval
• Install applications
• Access private information
• …

The jailbroken case
• Game over
• Everything is possible
• Ex:
• Modifying vm_map_protect to allow RWX pages
• Injecting code in processes to gain access to their data
• Direct access to applications files
• Send / receive SMS
• …

Configuration profiles
• Probably used in your organization
• Configure email client
• Device certificate
• Corporate WiFi credentials
• …
• Also used by attackers
• Define proxy and install CA for SSL interception
• Required to run Enterprise Developer signed applications

Detection
• Mobile devices are more complex to protect
• Network side
• Not always using your egress point
• Web filtering / network monitoring not applicable
• Endpoint side
• Operating system less open to 3rd party drivers
• Applications isolation
• Not an AV friendly environment

Detection on the network
• IDS like features
• Use rulesets specific to mobile malware
• Examples
• Emerging Threats MOBILE_MALWARE rules
• Lookout Mobile Threat Intelligence feed
• Android only
• Detect access to non-corporate configuration
• Detect download of IPA files signed with external Enterprise Developer
accounts

Detection on the devices
• Leverage existing MDM/MAM solution
• Retrieve installed provisioning profiles
• All external ones should be suspicious
• Retrieve installed applications bundle names
• Match known malicious

• Command line tools
• ideviceinstaller
• ideviceprovision

• Forensics from logs
• installd
• SpringBoard

• Forensics from side channels logs
• Battery usage
• Data usage
• Both contain applications name and last executed timestamp
• Available from backups

• One remark on forensics acquisition
• Enterprise app binaries were never part of the backups
• Since iOS 9 it is the same for AppStore ones

• Future?
• USB scanning terminal to match known malicious bundles
• Workstation AV scanning connected devices

Protection
• Update devices
• Decrease potential vulnerabilities exploitation
• Prevent known jailbreaking methods
• Device hardening
• iOS security best-practices
• Disable AirDrop
• Force 6-digits passcode
• …

Protection
• Users training
• Do not install 3rd party provisioning profiles
• Do not install applications outside of the AppStore or provided by corporate
MDM

Freely available

Acknowledgements
• Claud Xiao from Palo Alto for sharing his samples with the research
community

Thank You
Julien Bachmann
Expert Security Researcher
Security Research Unit
Email: julien.bachmann __at__
kudelskisecurity.com

iOS malware: what's the risk and how to reduce it

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to iOS malware: what's the risk and how to reduce it

Similar to iOS malware: what's the risk and how to reduce it (20)

More from Cyber Security Alliance

More from Cyber Security Alliance (20)

Recently uploaded

Recently uploaded (20)

iOS malware: what's the risk and how to reduce it