More Related Content
Similar to iOS malware: what's the risk and how to reduce it (20)
More from Cyber Security Alliance (20)
iOS malware: what's the risk and how to reduce it
- 1. C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.
iOS malware : what’s the risk and how to reduce it
Julien Bachmann
Expert Security Researcher
@milkmix_
- 3. 3©2016 KUDELSKI GROUP / All rights reserved.
2010 2011 2012 2013 2014 2015
SOME HISTORY ON BANKING MALWARE
Zeus
SpyEye
Carberp
HesperBot
Android.iBanking
Android.BankBot
Android.bankosy
- 4. 4©2016 KUDELSKI GROUP / All rights reserved.
Only an Android problem right?
• Two facts to consider
• iOS malware is a real thing, even if less widespread now
• If you are using iOS in your enterprise you might be at risk
src: Verizon DBIR 2015
- 5. 5©2016 KUDELSKI GROUP / All rights reserved.
Some history on iOS malware
2009 2012 2014 2015 2016
iKee (ssh)
Find and Call
AdThief
Unflod
WireLurker
XcodeGhost
YiSpecter
Muda
ZergHelper
AceDeceiver
Trident
- 7. 7©2016 KUDELSKI GROUP / All rights reserved.
Applications installation
• Limited number of installation paths
• Closed platform well restricted by Apple
• Only authorized methods controlled by Apple on non-jailbroken device
- 8. 8©2016 KUDELSKI GROUP / All rights reserved.
Applications installation
AppStore
AdHoc / self signed
In House
3rd party stores (jailbreak)
- 9. 9©2016 KUDELSKI GROUP / All rights reserved.
Applications installation
• AppStore
• Require Developer certificate
• Applications are reviewed
• In House
• Common method for enterprise applications
• Require Enterprise Developer account
• Require Provisioning profile installed on device
• Ad Hoc
• Used during development
• Limited to 100 devices with provisioned UDID
• Self signed
• New with iOS 9 and Xcode 7, sign for personal devices
- 10. 10©2016 KUDELSKI GROUP / All rights reserved.
Applications installation
• The jailbroken case
• Several advantages while jailbreaking a device
• Allows to validate security of applications
• But disable code signing validations
• Allows installing applications from untrusted sources
- 11. 11©2016 KUDELSKI GROUP / All rights reserved.
Applications restrictions
• Limitations put in place by Apple
• Applications running in a sandbox
• Seat-Belt
• Limited access to filesystem and resources
• Applications are isolated from one another
• Requested accesses validated on the AppStore
• Some limitations may apply…
- 12. 12©2016 KUDELSKI GROUP / All rights reserved.
How devices are infected?
• Mostly spear-phishing
• Lure users into installing malicious application
• Download link in emails / messages
• Used it before in phishing campaign for customer : ~10%
• No exploits and watering hole?
• Exploitation of software vulnerabilities through the browser
• Possible and seen but remote code execs to drop malware are expensive
and complex on iOS
• Pegasus/Trident attack
- 14. 14©2016 KUDELSKI GROUP / All rights reserved.
How devices are infected?
• Pegasus / Trident
1. WebKit vulnerability
2. Kernel infoleak
3. Kernel memory corruption
4. Another JS related vulnerability to persist
- 15. 15©2016 KUDELSKI GROUP / All rights reserved.
How devices are infected?
• Traffic injection
• From the public news, most cases currently in Asia
• DNS redirects in China
• Attacks on mobile devices through fake eNodeB
• Physical attacks
• Through MobileDevice framework on USB/WiFi
• AirDrop software flaws
• Code injection
• Ex. JSPatch
- 16. 16©2016 KUDELSKI GROUP / All rights reserved.
How devices are infected?
• Physical attacks
• Through MobileDevice framework on USB/WiFi
- 17. 17©2016 KUDELSKI GROUP / All rights reserved.
Code signing?
• Phishing is not enough
• Code signing still performed by iOS
• Except on jailbroken devices or if software vulnerability gets exploited
• Ad Hoc
• Too complicated, requires UDID
• Leaks in the past years, limited now with Apple restrictions
• Potentially on very targeted attacks
• Enterprise Developer Certificate
• User validation
• Certificate can be easily revoked by Apple upon detection
- 19. 19©2016 KUDELSKI GROUP / All rights reserved.
Code signing?
• A few months in the news
• “Malware bypassing Apple code signing mechanism”
• AceDeceiver
• Truth (explanation w/o the hype)
• Still requires to be published and accepted by Apple at least once in one of
the stores (US, CH, CN, …)
• Can use geolocation of incoming IP addresses to enable/disable features in
the code
• Possible to exploit design flaw in the validation process when installing from
iTunes on Mac/PC
• Allows to install the malware from Mac/PC even if certificate revoked
- 20. 20©2016 KUDELSKI GROUP / All rights reserved.
Code signing?
http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/
- 22. 22©2016 KUDELSKI GROUP / All rights reserved.
AppStore permissions
• Audio recording
• Easily performed through the API
• When in background applications are preempted by iOS
• Except if defined as background application
• Ribbon displayed to the user
• Keylogging
• Since iOS8 : extensions (keyboard, browser filtering, …)
• Isolated from standard application so no access to Internet or files…
• … except if requested
- 25. 25©2016 KUDELSKI GROUP / All rights reserved.
Sandbox is limiting actions right?
• Entitlements
1. Developers should specify entitlements at compilation
• http://newosxbook.com/ent.jl
2. Validated by the AppStore
3. Some additional rights for selected partners
4. Enforced on device by seat-belt
• Private API
• Forbidden by Apple in the guidelines
• Still requires entitlements to access data due to sandbox
• Does not break applications isolation principle
• Would require to elevate privileges to do so
• Or flaws in the private APIs validation mechanism (Stefan Esser app)
• Difficult to detect with automated analysis (static and dynamic)
- 27. 27©2016 KUDELSKI GROUP / All rights reserved.
Sandbox is limiting actions right?
• Listing private APIs functions
• Nicolas Seriot online list
• Using classdump-dyld on a jailbroken device
• Calling private APIs
• Can be called directly
• Through dynamic loading
• dlopen / dlsym
• Using Objective-C reflection property
- 28. 28©2016 KUDELSKI GROUP / All rights reserved.
Sandbox is limiting actions right?
• Listing private APIs functions
- 29. 29©2016 KUDELSKI GROUP / All rights reserved.
Sandbox is limiting actions right?
• When linked
• Objective-C reflection
- 30. 30©2016 KUDELSKI GROUP / All rights reserved.
The In house case
• Entitlements
• Defined at compilation
• Not validated by Apple outside of the AppStore flow
• As seen allows to use more sensitive Private API functions
• Offers more possibilities
• CoreTelephony framework
• Notifications on calls or messages
• IMSI / IMEI retrieval
• Install applications
• Access private information
• …
- 31. 31©2016 KUDELSKI GROUP / All rights reserved.
The jailbroken case
• Game over
• Everything is possible
• Ex:
• Modifying vm_map_protect to allow RWX pages
• Injecting code in processes to gain access to their data
• Direct access to applications files
• Send / receive SMS
• …
- 33. 33©2016 KUDELSKI GROUP / All rights reserved.
Configuration profiles
• Probably used in your organization
• Configure email client
• Device certificate
• Corporate WiFi credentials
• …
• Also used by attackers
• Define proxy and install CA for SSL interception
• Required to run Enterprise Developer signed applications
- 35. 35©2016 KUDELSKI GROUP / All rights reserved.
Detection
• Mobile devices are more complex to protect
• Network side
• Not always using your egress point
• Web filtering / network monitoring not applicable
• Endpoint side
• Operating system less open to 3rd party drivers
• Applications isolation
• Not an AV friendly environment
- 36. 36©2016 KUDELSKI GROUP / All rights reserved.
Detection on the network
• IDS like features
• Use rulesets specific to mobile malware
• Examples
• Emerging Threats MOBILE_MALWARE rules
• Lookout Mobile Threat Intelligence feed
• Android only
• Detect access to non-corporate configuration
• Detect download of IPA files signed with external Enterprise Developer
accounts
- 37. 37©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• Leverage existing MDM/MAM solution
• Retrieve installed provisioning profiles
• All external ones should be suspicious
• Retrieve installed applications bundle names
• Match known malicious
- 38. 38©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• Command line tools
• ideviceinstaller
• ideviceprovision
- 39. 39©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• Forensics from logs
• installd
• SpringBoard
- 40. 40©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• Forensics from side channels logs
• Battery usage
• Data usage
• Both contain applications name and last executed timestamp
• Available from backups
- 41. 41©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• One remark on forensics acquisition
• Enterprise app binaries were never part of the backups
• Since iOS 9 it is the same for AppStore ones
- 42. 42©2016 KUDELSKI GROUP / All rights reserved.
Detection on the devices
• Future?
• USB scanning terminal to match known malicious bundles
• Workstation AV scanning connected devices
- 43. 43©2016 KUDELSKI GROUP / All rights reserved.
Protection
• Update devices
• Decrease potential vulnerabilities exploitation
• Prevent known jailbreaking methods
• Device hardening
• iOS security best-practices
• Disable AirDrop
• Force 6-digits passcode
• …
- 44. 44©2016 KUDELSKI GROUP / All rights reserved.
Protection
• Users training
• Do not install 3rd party provisioning profiles
• Do not install applications outside of the AppStore or provided by corporate
MDM
- 46. 46©2016 KUDELSKI GROUP / All rights reserved.
Acknowledgements
• Claud Xiao from Palo Alto for sharing his samples with the research
community
- 47. 47©2016 KUDELSKI GROUP / All rights reserved.
Thank You
Julien Bachmann
Expert Security Researcher
Security Research Unit
Email: julien.bachmann __at__
kudelskisecurity.com