iOS malware: myth or reality?

D09f0bb8d2175fd4884f630cc66e49d5?s=47 Julien Bachmann
June 08, 2016
Technology
2
760

iOS malware: myth or reality?

talk given at Security B-Sides London

D09f0bb8d2175fd4884f630cc66e49d5?s=128

Julien Bachmann

June 08, 2016
Tweet

More Decks by Julien Bachmann

See All by Julien Bachmann
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
1
2.4k
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
1
1k
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
0
1.3k
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
1
410
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
0
120
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
0
200
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
1
140
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
0
79
D09f0bb8d2175fd4884f630cc66e49d5?s=48 milkmix
0
64

Other Decks in Technology

See All in Technology
0102ef8594b9d3a74f45dfd5daa5ede4?s=48 yskmjp
0
250
A8b79d304b5184e5a5b0a109590f6683?s=48 dpreussler
0
190
25b30e875da37bab1edc8fbc2fe23df7?s=48 _mossann_t
0
330
179d41d0fdd38c6980de9f2ae0e4768a?s=48 9wick
0
310
Ccb58352bdd1be66ebb2daf12ba1b993?s=48 mirie_sd
0
120
57eb5b1713206c5edb521dde99cc5f30?s=48 key
0
160
5b392dc79d5b6d1dab580bf60e26fb7c?s=48 nitya
0
140
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
140
0aa238a274c2397214b20d6eed58939b?s=48 moomooya
0
340
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
2
110
40661cda330920ea2a854566ae19bbe9?s=48 wyamazak_uhuru
0
340
2564c99f616f1ecfc0f617a6fe87e2a9?s=48 penguin045
0
140

Featured

See All Featured
A9704266587836f7e784235e5073b93e?s=48 jmmastey
5
360
78b475797a14c84799063c7cd073962f?s=48 holman
459
270k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
340
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
69
1.3k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
316
18k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
236
23k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
155
11k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
7
460
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
241
20k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
144
6.5k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
10
630

Transcript

  1. C O N F I D E N T I

    A L ©2016 KUDELSKI GROUP / All rights reserved. iOS MALWARE : MYTH OR REALITY? Julien Bachmann @milkmix_

  2. INTRODUCTION

  3. C O N F I D E N T I

    A L 3 ©2016 KUDELSKI GROUP / All rights reserved. 2010 2011 2012 2013 2014 2015 SOME HISTORY ON BANKING MALWARE Zeus SpyEye Carberp HesperBot Android.iBanking Android.BankBot Android.bankosy

  4. C O N F I D E N T I

    A L 4 ©2016 KUDELSKI GROUP / All rights reserved. ONLY AN ANDROID PROBLEM RIGHT? Two facts to consider iOS malware is a real thing, even if less widespread now If you are using iOS in your enterprise you might be at risk src: Verizon DBIR 2015

  5. C O N F I D E N T I

    A L 5 ©2016 KUDELSKI GROUP / All rights reserved. 2009 2012 2014 2015 2016 SOME HISTORY ON iOS MALWARE iKee (ssh) Find and Call AdThief Unflod WireLurker XcodeGhost YiSpecter Muda ZergHelper AceDeceiver

  6. QUICK RECAP ON iOS SECURITY

  7. C O N F I D E N T I

    A L 7 ©2016 KUDELSKI GROUP / All rights reserved. APPLICATIONS INSTALLATION Limited number of installation paths Closed platform well restricted by Apple Only authorized methods controlled by Apple on non- jailbroken device

  8. C O N F I D E N T I

    A L 8 ©2016 KUDELSKI GROUP / All rights reserved. APPLICATIONS INSTALLATION AppStore AdHoc / self signed In House 3rd party stores (jailbreak)

  9. C O N F I D E N T I

    A L 9 ©2016 KUDELSKI GROUP / All rights reserved. APPLICATIONS INSTALLATION AppStore Require Developer certificate Applications are reviewed In House Common method for enterprise applications Require Enterprise Developer account Require Provisioning profile installed on device Ad Hoc Used during development Limited to 100 devices with provisioned UDID Self signed New with iOS 9 and Xcode 7, sign for personal devices

  10. C O N F I D E N T I

    A L 10 ©2016 KUDELSKI GROUP / All rights reserved. APPLICATIONS INSTALLATION The jailbroken case Several advantages while jailbreaking a device Allows to validate security of applications But disable code signing validations Allows installing applications from untrusted sources

  11. C O N F I D E N T I

    A L 11 ©2016 KUDELSKI GROUP / All rights reserved. APPLICATIONS RESTRICTIONS Limitations put in place by Apple Applications running in a sandbox Seat-Belt Limited access to filesystem and resources Applications are isolated from one another Requested accesses validated on the AppStore Some limitations may apply…

  12. C O N F I D E N T I

    A L 12 ©2016 KUDELSKI GROUP / All rights reserved. HOW DEVICES ARE INFECTED? Mostly phishing Lure users into installing malicious application Download link in emails / messages Used it before in phishing campaign for customer : ~10% No exploits and watering hole? Exploitation of software vulnerabilities through the browser Possible but remote code execs are expensive on iOS

  13. C O N F I D E N T I

    A L 13 ©2016 KUDELSKI GROUP / All rights reserved. HOW DEVICES ARE INFECTED?

  14. C O N F I D E N T I

    A L 14 ©2016 KUDELSKI GROUP / All rights reserved. HOW DEVICES ARE INFECTED? Traffic injection From the public news, most cases currently in Asia DNS redirects in China Attacks on mobile devices through fake eNodeB Physical attacks Through MobileDevice framework on USB/WiFi AirDrop software flaws Code injection Ex. JSPatch

  15. C O N F I D E N T I

    A L 15 ©2016 KUDELSKI GROUP / All rights reserved. HOW DEVICES ARE INFECTED? Physical attacks Through MobileDevice framework on USB/WiFi

  16. C O N F I D E N T I

    A L 16 ©2016 KUDELSKI GROUP / All rights reserved. CODE SIGNING? Phishing is not enough Code signing still performed by iOS Except on jailbroken devices Ad Hoc Too complicated, requires UDID Leaks in the past years, limited now with Apple restrictions Potentially on very targeted attacks Enterprise Developer Certificate User validation Certificate can be easily revoked by Apple upon detection

  17. C O N F I D E N T I

    A L 17 ©2016 KUDELSKI GROUP / All rights reserved. CODE SIGNING? Enterprise Developer Certificate

  18. C O N F I D E N T I

    A L 18 ©2016 KUDELSKI GROUP / All rights reserved. CODE SIGNING? Recently in the news “Malware bypassing Apple code signing mechanism” AceDeceiver Truth (explanation w/o the hype) Still requires to be published and accepted by Apple at least once in one of the stores (US, CH, CN, …) Can use geolocation of incoming IP addresses to enable/disable features in the code Possible to exploit design flaw in the validation process when installing from iTunes on Mac/PC Allows to install the malware from Mac/PC even if certificate revoked

  19. C O N F I D E N T I

    A L 19 ©2016 KUDELSKI GROUP / All rights reserved. CODE SIGNING? http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

  20. MALICIOUS ACTIONS

  21. C O N F I D E N T I

    A L 21 ©2016 KUDELSKI GROUP / All rights reserved. APPSTORE PERMISSIONS Audio recording Easily performed through the API When in background applications are preempted by iOS Except if defined as background application Ribbon displayed to the user Keylogging Since iOS8 : extensions (keyboard, browser filtering, …) Isolated from standard application so no access to Internet or files… … except if requested

  22. C O N F I D E N T I

    A L 22 ©2016 KUDELSKI GROUP / All rights reserved. KEYLOGGING FROM THE APPSTORE User’s validation

  23. C O N F I D E N T I

    A L 23 ©2016 KUDELSKI GROUP / All rights reserved. PRIVATE API In the news

  24. C O N F I D E N T I

    A L 24 ©2016 KUDELSKI GROUP / All rights reserved. SANDBOX IS LIMITING ACTIONS RIGHT? Entitlements 1. Developers should specify entitlements at compilation • http://newosxbook.com/ent.jl 2. Validated by the AppStore 3. Some additional rights for selected partners 4. Enforced on device by seat-belt Private API Forbidden by Apple in the guidelines Still requires entitlements to access data due to sandbox Does not break applications isolation principle Would require to elevate privileges to do so Or flaws in the private APIs validation mechanism (Stefan Esser app) Difficult to detect with automated analysis (static and dynamic)

  25. C O N F I D E N T I

    A L 25 ©2016 KUDELSKI GROUP / All rights reserved. SANDBOX IS LIMITING ACTIONS RIGHT? Entitlements

  26. C O N F I D E N T I

    A L 26 ©2016 KUDELSKI GROUP / All rights reserved. SANDBOX IS LIMITING ACTIONS RIGHT? Listing private APIs functions Nicolas Seriot online list Using classdump-dyld on a jailbroken device Calling private APIs Can be called directly Through dynamic loading dlopen / dlsym Using Objective-C reflection property

  27. C O N F I D E N T I

    A L 27 ©2016 KUDELSKI GROUP / All rights reserved. SANDBOX IS LIMITING ACTIONS RIGHT? Listing private APIs functions

  28. C O N F I D E N T I

    A L 28 ©2016 KUDELSKI GROUP / All rights reserved. SANDBOX IS LIMITING ACTIONS RIGHT? When linked Objective-C reflection

  29. C O N F I D E N T I

    A L 29 ©2016 KUDELSKI GROUP / All rights reserved. THE IN HOUSE CASE Entitlements Defined at compilation Not validated by Apple outside of the AppStore flow As seen allows to use more sensitive Private API functions Offers more possibilities CoreTelephony framework Notifications on calls or messages IMSI / IMEI retrieval Install applications Access private information …

  30. NON-APPLICATION BASED ATTACKS

  31. C O N F I D E N T I

    A L 31 ©2016 KUDELSKI GROUP / All rights reserved. CONFIGURATION PROFILES Probably used in your organization Configure email client Device certificate Corporate WiFi credentials … Also used by attackers Define proxy and install CA for SSL interception Required to run Enterprise Developer signed applications

  32. PROTECTION AND DETECTION

  33. C O N F I D E N T I

    A L 33 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION Mobile devices are more complex to protect Network side Not always using your egress point Web filtering / network monitoring not applicable Endpoint side Operating system less open to 3rd party drivers Applications isolation Not an AV friendly environment

  34. C O N F I D E N T I

    A L 34 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE NETWORK IDS like features Use rulesets specific to mobile malware Examples Emerging Threats MOBILE_MALWARE rules Lookout Mobile Threat Intelligence feed Android only AFAIK Detect access to non-corporate configuration Detect download of IPA files signed with external Enterprise Developer accounts

  35. C O N F I D E N T I

    A L 35 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES Leverage existing MDM/MAM solution Retrieve installed provisioning profiles All external ones should be suspicious Retrieve installed applications bundle names Match known malicious

  36. C O N F I D E N T I

    A L 36 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES Command line tools ideviceinstaller ideviceprovision

  37. C O N F I D E N T I

    A L 37 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES Forensics from logs installd SpringBoard

  38. C O N F I D E N T I

    A L 38 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES Forensics from side channels logs Battery usage Data usage Both contain applications name and last executed timestamp Available from backups

  39. C O N F I D E N T I

    A L 39 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES One remark on forensics acquisition Enterprise app binaries were never part of the backups Since iOS 9 it is the same for AppStore ones Still, those are encrypted so not really useful

  40. C O N F I D E N T I

    A L 40 ©2016 KUDELSKI GROUP / All rights reserved. DETECTION ON THE DEVICES Future? USB scanning terminal to match known malicious bundles Workstation AV scanning connected devices

  41. C O N F I D E N T I

    A L 41 ©2016 KUDELSKI GROUP / All rights reserved. PROTECTION Update devices Decrease potential vulnerabilities exploitation Prevent known jailbreaking methods Device hardening iOS security best-practices Disable AirDrop Force 6-digits passcode …

  42. C O N F I D E N T I

    A L 42 ©2016 KUDELSKI GROUP / All rights reserved. PROTECTION Users training Do not install 3rd party provisioning profiles Do not install applications outside of the AppStore or provided by corporate MDM

  43. C O N F I D E N T I

    A L 43 ©2016 KUDELSKI GROUP / All rights reserved. FOR THOSE READING FRENCH

  44. C O N F I D E N T I

    A L 44 ©2016 KUDELSKI GROUP / All rights reserved. ACKNOWLEDGEMENTS Claud Xiao from Palo Alto for sharing his samples with the research community

  45. C O N F I D E N T I

    A L 45 ©2016 KUDELSKI GROUP / All rights reserved.