talk given at Security B-Sides London
C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.iOS MALWARE : MYTH OR REALITY?Julien Bachmann@milkmix_
View Slide
INTRODUCTION
C O N F I D E N T I A L3 ©2016 KUDELSKI GROUP / All rights reserved.2010 2011 2012 2013 2014 2015SOME HISTORY ON BANKING MALWAREZeusSpyEyeCarberpHesperBotAndroid.iBankingAndroid.BankBotAndroid.bankosy
C O N F I D E N T I A L4 ©2016 KUDELSKI GROUP / All rights reserved.ONLY AN ANDROID PROBLEM RIGHT?Two facts to consideriOS malware is a real thing, even if less widespread nowIf you are using iOS in your enterprise you might be at risksrc: Verizon DBIR 2015
C O N F I D E N T I A L5 ©2016 KUDELSKI GROUP / All rights reserved.2009 2012 2014 2015 2016SOME HISTORY ON iOS MALWAREiKee (ssh)Find and CallAdThiefUnflodWireLurkerXcodeGhostYiSpecterMudaZergHelperAceDeceiver
QUICK RECAP ON iOS SECURITY
C O N F I D E N T I A L7 ©2016 KUDELSKI GROUP / All rights reserved.APPLICATIONS INSTALLATIONLimited number of installation pathsClosed platform well restricted by AppleOnly authorized methods controlled by Apple on non-jailbroken device
C O N F I D E N T I A L8 ©2016 KUDELSKI GROUP / All rights reserved.APPLICATIONS INSTALLATIONAppStoreAdHoc / self signedIn House3rd party stores (jailbreak)
C O N F I D E N T I A L9 ©2016 KUDELSKI GROUP / All rights reserved.APPLICATIONS INSTALLATIONAppStoreRequire Developer certificateApplications are reviewedIn HouseCommon method for enterprise applicationsRequire Enterprise Developer accountRequire Provisioning profile installed on deviceAd HocUsed during developmentLimited to 100 devices with provisioned UDIDSelf signedNew with iOS 9 and Xcode 7, sign for personal devices
C O N F I D E N T I A L10 ©2016 KUDELSKI GROUP / All rights reserved.APPLICATIONS INSTALLATIONThe jailbroken caseSeveral advantages while jailbreaking a deviceAllows to validate security of applicationsBut disable code signing validationsAllows installing applications from untrusted sources
C O N F I D E N T I A L11 ©2016 KUDELSKI GROUP / All rights reserved.APPLICATIONS RESTRICTIONSLimitations put in place by AppleApplications running in a sandboxSeat-BeltLimited access to filesystem and resourcesApplications are isolated from one anotherRequested accesses validated on the AppStoreSome limitations may apply…
C O N F I D E N T I A L12 ©2016 KUDELSKI GROUP / All rights reserved.HOW DEVICES ARE INFECTED?Mostly phishingLure users into installing malicious applicationDownload link in emails / messagesUsed it before in phishing campaign for customer : ~10%No exploits and watering hole?Exploitation of software vulnerabilities through the browserPossible but remote code execs are expensive on iOS
C O N F I D E N T I A L13 ©2016 KUDELSKI GROUP / All rights reserved.HOW DEVICES ARE INFECTED?
C O N F I D E N T I A L14 ©2016 KUDELSKI GROUP / All rights reserved.HOW DEVICES ARE INFECTED?Traffic injectionFrom the public news, most cases currently in AsiaDNS redirects in ChinaAttacks on mobile devices through fake eNodeBPhysical attacksThrough MobileDevice framework on USB/WiFiAirDrop software flawsCode injectionEx. JSPatch
C O N F I D E N T I A L15 ©2016 KUDELSKI GROUP / All rights reserved.HOW DEVICES ARE INFECTED?Physical attacksThrough MobileDevice framework on USB/WiFi
C O N F I D E N T I A L16 ©2016 KUDELSKI GROUP / All rights reserved.CODE SIGNING?Phishing is not enoughCode signing still performed by iOSExcept on jailbroken devicesAd HocToo complicated, requires UDIDLeaks in the past years, limited now with Apple restrictionsPotentially on very targeted attacksEnterprise Developer CertificateUser validationCertificate can be easily revoked by Apple upon detection
C O N F I D E N T I A L17 ©2016 KUDELSKI GROUP / All rights reserved.CODE SIGNING?Enterprise Developer Certificate
C O N F I D E N T I A L18 ©2016 KUDELSKI GROUP / All rights reserved.CODE SIGNING?Recently in the news“Malware bypassing Apple code signing mechanism”AceDeceiverTruth (explanation w/o the hype)Still requires to be published and accepted by Apple at leastonce in one of the stores (US, CH, CN, …)Can use geolocation of incoming IP addresses toenable/disable features in the codePossible to exploit design flaw in the validation processwhen installing from iTunes on Mac/PCAllows to install the malware from Mac/PC even if certificaterevoked
C O N F I D E N T I A L19 ©2016 KUDELSKI GROUP / All rights reserved.CODE SIGNING?http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/
MALICIOUS ACTIONS
C O N F I D E N T I A L21 ©2016 KUDELSKI GROUP / All rights reserved.APPSTORE PERMISSIONSAudio recordingEasily performed through the APIWhen in background applications are preempted by iOSExcept if defined as background applicationRibbon displayed to the userKeyloggingSince iOS8 : extensions (keyboard, browser filtering, …)Isolated from standard application so no access to Internetor files…… except if requested
C O N F I D E N T I A L22 ©2016 KUDELSKI GROUP / All rights reserved.KEYLOGGING FROM THE APPSTOREUser’s validation
C O N F I D E N T I A L23 ©2016 KUDELSKI GROUP / All rights reserved.PRIVATE APIIn the news
C O N F I D E N T I A L24 ©2016 KUDELSKI GROUP / All rights reserved.SANDBOX IS LIMITING ACTIONS RIGHT?Entitlements1. Developers should specify entitlements at compilation• http://newosxbook.com/ent.jl2. Validated by the AppStore3. Some additional rights for selected partners4. Enforced on device by seat-beltPrivate APIForbidden by Apple in the guidelinesStill requires entitlements to access data due to sandboxDoes not break applications isolation principleWould require to elevate privileges to do soOr flaws in the private APIs validation mechanism (Stefan Esser app)Difficult to detect with automated analysis (static and dynamic)
C O N F I D E N T I A L25 ©2016 KUDELSKI GROUP / All rights reserved.SANDBOX IS LIMITING ACTIONS RIGHT?Entitlements
C O N F I D E N T I A L26 ©2016 KUDELSKI GROUP / All rights reserved.SANDBOX IS LIMITING ACTIONS RIGHT?Listing private APIs functionsNicolas Seriot online listUsing classdump-dyld on a jailbroken deviceCalling private APIsCan be called directlyThrough dynamic loadingdlopen / dlsymUsing Objective-C reflection property
C O N F I D E N T I A L27 ©2016 KUDELSKI GROUP / All rights reserved.SANDBOX IS LIMITING ACTIONS RIGHT?Listing private APIs functions
C O N F I D E N T I A L28 ©2016 KUDELSKI GROUP / All rights reserved.SANDBOX IS LIMITING ACTIONS RIGHT?When linkedObjective-C reflection
C O N F I D E N T I A L29 ©2016 KUDELSKI GROUP / All rights reserved.THE IN HOUSE CASEEntitlementsDefined at compilationNot validated by Apple outside of the AppStore flowAs seen allows to use more sensitive Private API functionsOffers more possibilitiesCoreTelephony frameworkNotifications on calls or messagesIMSI / IMEI retrievalInstall applicationsAccess private information…
NON-APPLICATION BASED ATTACKS
C O N F I D E N T I A L31 ©2016 KUDELSKI GROUP / All rights reserved.CONFIGURATION PROFILESProbably used in your organizationConfigure email clientDevice certificateCorporate WiFi credentials…Also used by attackersDefine proxy and install CA for SSL interceptionRequired to run Enterprise Developer signed applications
PROTECTION AND DETECTION
C O N F I D E N T I A L33 ©2016 KUDELSKI GROUP / All rights reserved.DETECTIONMobile devices are more complex to protectNetwork sideNot always using your egress pointWeb filtering / network monitoring not applicableEndpoint sideOperating system less open to 3rd party driversApplications isolationNot an AV friendly environment
C O N F I D E N T I A L34 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE NETWORKIDS like featuresUse rulesets specific to mobile malwareExamplesEmerging Threats MOBILE_MALWARE rulesLookout Mobile Threat Intelligence feedAndroid only AFAIKDetect access to non-corporate configurationDetect download of IPA files signed with external EnterpriseDeveloper accounts
C O N F I D E N T I A L35 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESLeverage existing MDM/MAM solutionRetrieve installed provisioning profilesAll external ones should be suspiciousRetrieve installed applications bundle namesMatch known malicious
C O N F I D E N T I A L36 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESCommand line toolsideviceinstallerideviceprovision
C O N F I D E N T I A L37 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESForensics from logsinstalldSpringBoard
C O N F I D E N T I A L38 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESForensics from side channels logsBattery usageData usageBoth contain applications name and last executedtimestampAvailable from backups
C O N F I D E N T I A L39 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESOne remark on forensics acquisitionEnterprise app binaries were never part of the backupsSince iOS 9 it is the same for AppStore onesStill, those are encrypted so not really useful
C O N F I D E N T I A L40 ©2016 KUDELSKI GROUP / All rights reserved.DETECTION ON THE DEVICESFuture?USB scanning terminal to match known malicious bundlesWorkstation AV scanning connected devices
C O N F I D E N T I A L41 ©2016 KUDELSKI GROUP / All rights reserved.PROTECTIONUpdate devicesDecrease potential vulnerabilities exploitationPrevent known jailbreaking methodsDevice hardeningiOS security best-practicesDisable AirDropForce 6-digits passcode…
C O N F I D E N T I A L42 ©2016 KUDELSKI GROUP / All rights reserved.PROTECTIONUsers trainingDo not install 3rd party provisioning profilesDo not install applications outside of the AppStore orprovided by corporate MDM
C O N F I D E N T I A L43 ©2016 KUDELSKI GROUP / All rights reserved.FOR THOSE READING FRENCH
C O N F I D E N T I A L44 ©2016 KUDELSKI GROUP / All rights reserved.ACKNOWLEDGEMENTSClaud Xiao from Palo Alto for sharing hissamples with the research community
C O N F I D E N T I A L45 ©2016 KUDELSKI GROUP / All rights reserved.