Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS malware: myth or reality?

iOS malware: myth or reality?

talk given at Security B-Sides London

Julien Bachmann

June 08, 2016
Tweet

More Decks by Julien Bachmann

Other Decks in Technology

Transcript

  1. C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.
    iOS MALWARE : MYTH OR REALITY?
    Julien Bachmann
    @milkmix_

    View Slide

  2. INTRODUCTION

    View Slide

  3. C O N F I D E N T I A L
    3 ©2016 KUDELSKI GROUP / All rights reserved.
    2010 2011 2012 2013 2014 2015
    SOME HISTORY ON BANKING MALWARE
    Zeus
    SpyEye
    Carberp
    HesperBot
    Android.iBanking
    Android.BankBot
    Android.bankosy

    View Slide

  4. C O N F I D E N T I A L
    4 ©2016 KUDELSKI GROUP / All rights reserved.
    ONLY AN ANDROID PROBLEM RIGHT?
    Two facts to consider
    iOS malware is a real thing, even if less widespread now
    If you are using iOS in your enterprise you might be at risk
    src: Verizon DBIR 2015

    View Slide

  5. C O N F I D E N T I A L
    5 ©2016 KUDELSKI GROUP / All rights reserved.
    2009 2012 2014 2015 2016
    SOME HISTORY ON iOS MALWARE
    iKee (ssh)
    Find and Call
    AdThief
    Unflod
    WireLurker
    XcodeGhost
    YiSpecter
    Muda
    ZergHelper
    AceDeceiver

    View Slide

  6. QUICK RECAP ON iOS SECURITY

    View Slide

  7. C O N F I D E N T I A L
    7 ©2016 KUDELSKI GROUP / All rights reserved.
    APPLICATIONS INSTALLATION
    Limited number of installation paths
    Closed platform well restricted by Apple
    Only authorized methods controlled by Apple on non-
    jailbroken device

    View Slide

  8. C O N F I D E N T I A L
    8 ©2016 KUDELSKI GROUP / All rights reserved.
    APPLICATIONS INSTALLATION
    AppStore
    AdHoc / self signed
    In House
    3rd party stores (jailbreak)

    View Slide

  9. C O N F I D E N T I A L
    9 ©2016 KUDELSKI GROUP / All rights reserved.
    APPLICATIONS INSTALLATION
    AppStore
    Require Developer certificate
    Applications are reviewed
    In House
    Common method for enterprise applications
    Require Enterprise Developer account
    Require Provisioning profile installed on device
    Ad Hoc
    Used during development
    Limited to 100 devices with provisioned UDID
    Self signed
    New with iOS 9 and Xcode 7, sign for personal devices

    View Slide

  10. C O N F I D E N T I A L
    10 ©2016 KUDELSKI GROUP / All rights reserved.
    APPLICATIONS INSTALLATION
    The jailbroken case
    Several advantages while jailbreaking a device
    Allows to validate security of applications
    But disable code signing validations
    Allows installing applications from untrusted sources

    View Slide

  11. C O N F I D E N T I A L
    11 ©2016 KUDELSKI GROUP / All rights reserved.
    APPLICATIONS RESTRICTIONS
    Limitations put in place by Apple
    Applications running in a sandbox
    Seat-Belt
    Limited access to filesystem and resources
    Applications are isolated from one another
    Requested accesses validated on the AppStore
    Some limitations may apply…

    View Slide

  12. C O N F I D E N T I A L
    12 ©2016 KUDELSKI GROUP / All rights reserved.
    HOW DEVICES ARE INFECTED?
    Mostly phishing
    Lure users into installing malicious application
    Download link in emails / messages
    Used it before in phishing campaign for customer : ~10%
    No exploits and watering hole?
    Exploitation of software vulnerabilities through the browser
    Possible but remote code execs are expensive on iOS

    View Slide

  13. C O N F I D E N T I A L
    13 ©2016 KUDELSKI GROUP / All rights reserved.
    HOW DEVICES ARE INFECTED?

    View Slide

  14. C O N F I D E N T I A L
    14 ©2016 KUDELSKI GROUP / All rights reserved.
    HOW DEVICES ARE INFECTED?
    Traffic injection
    From the public news, most cases currently in Asia
    DNS redirects in China
    Attacks on mobile devices through fake eNodeB
    Physical attacks
    Through MobileDevice framework on USB/WiFi
    AirDrop software flaws
    Code injection
    Ex. JSPatch

    View Slide

  15. C O N F I D E N T I A L
    15 ©2016 KUDELSKI GROUP / All rights reserved.
    HOW DEVICES ARE INFECTED?
    Physical attacks
    Through MobileDevice framework on USB/WiFi

    View Slide

  16. C O N F I D E N T I A L
    16 ©2016 KUDELSKI GROUP / All rights reserved.
    CODE SIGNING?
    Phishing is not enough
    Code signing still performed by iOS
    Except on jailbroken devices
    Ad Hoc
    Too complicated, requires UDID
    Leaks in the past years, limited now with Apple restrictions
    Potentially on very targeted attacks
    Enterprise Developer Certificate
    User validation
    Certificate can be easily revoked by Apple upon detection

    View Slide

  17. C O N F I D E N T I A L
    17 ©2016 KUDELSKI GROUP / All rights reserved.
    CODE SIGNING?
    Enterprise Developer Certificate

    View Slide

  18. C O N F I D E N T I A L
    18 ©2016 KUDELSKI GROUP / All rights reserved.
    CODE SIGNING?
    Recently in the news
    “Malware bypassing Apple code signing mechanism”
    AceDeceiver
    Truth (explanation w/o the hype)
    Still requires to be published and accepted by Apple at least
    once in one of the stores (US, CH, CN, …)
    Can use geolocation of incoming IP addresses to
    enable/disable features in the code
    Possible to exploit design flaw in the validation process
    when installing from iTunes on Mac/PC
    Allows to install the malware from Mac/PC even if certificate
    revoked

    View Slide

  19. C O N F I D E N T I A L
    19 ©2016 KUDELSKI GROUP / All rights reserved.
    CODE SIGNING?
    http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

    View Slide

  20. MALICIOUS ACTIONS

    View Slide

  21. C O N F I D E N T I A L
    21 ©2016 KUDELSKI GROUP / All rights reserved.
    APPSTORE PERMISSIONS
    Audio recording
    Easily performed through the API
    When in background applications are preempted by iOS
    Except if defined as background application
    Ribbon displayed to the user
    Keylogging
    Since iOS8 : extensions (keyboard, browser filtering, …)
    Isolated from standard application so no access to Internet
    or files…
    … except if requested

    View Slide

  22. C O N F I D E N T I A L
    22 ©2016 KUDELSKI GROUP / All rights reserved.
    KEYLOGGING FROM THE APPSTORE
    User’s validation

    View Slide

  23. C O N F I D E N T I A L
    23 ©2016 KUDELSKI GROUP / All rights reserved.
    PRIVATE API
    In the news

    View Slide

  24. C O N F I D E N T I A L
    24 ©2016 KUDELSKI GROUP / All rights reserved.
    SANDBOX IS LIMITING ACTIONS RIGHT?
    Entitlements
    1. Developers should specify entitlements at compilation
    • http://newosxbook.com/ent.jl
    2. Validated by the AppStore
    3. Some additional rights for selected partners
    4. Enforced on device by seat-belt
    Private API
    Forbidden by Apple in the guidelines
    Still requires entitlements to access data due to sandbox
    Does not break applications isolation principle
    Would require to elevate privileges to do so
    Or flaws in the private APIs validation mechanism (Stefan Esser app)
    Difficult to detect with automated analysis (static and dynamic)

    View Slide

  25. C O N F I D E N T I A L
    25 ©2016 KUDELSKI GROUP / All rights reserved.
    SANDBOX IS LIMITING ACTIONS RIGHT?
    Entitlements

    View Slide

  26. C O N F I D E N T I A L
    26 ©2016 KUDELSKI GROUP / All rights reserved.
    SANDBOX IS LIMITING ACTIONS RIGHT?
    Listing private APIs functions
    Nicolas Seriot online list
    Using classdump-dyld on a jailbroken device
    Calling private APIs
    Can be called directly
    Through dynamic loading
    dlopen / dlsym
    Using Objective-C reflection property

    View Slide

  27. C O N F I D E N T I A L
    27 ©2016 KUDELSKI GROUP / All rights reserved.
    SANDBOX IS LIMITING ACTIONS RIGHT?
    Listing private APIs functions

    View Slide

  28. C O N F I D E N T I A L
    28 ©2016 KUDELSKI GROUP / All rights reserved.
    SANDBOX IS LIMITING ACTIONS RIGHT?
    When linked
    Objective-C reflection

    View Slide

  29. C O N F I D E N T I A L
    29 ©2016 KUDELSKI GROUP / All rights reserved.
    THE IN HOUSE CASE
    Entitlements
    Defined at compilation
    Not validated by Apple outside of the AppStore flow
    As seen allows to use more sensitive Private API functions
    Offers more possibilities
    CoreTelephony framework
    Notifications on calls or messages
    IMSI / IMEI retrieval
    Install applications
    Access private information

    View Slide

  30. NON-APPLICATION BASED ATTACKS

    View Slide

  31. C O N F I D E N T I A L
    31 ©2016 KUDELSKI GROUP / All rights reserved.
    CONFIGURATION PROFILES
    Probably used in your organization
    Configure email client
    Device certificate
    Corporate WiFi credentials

    Also used by attackers
    Define proxy and install CA for SSL interception
    Required to run Enterprise Developer signed applications

    View Slide

  32. PROTECTION AND DETECTION

    View Slide

  33. C O N F I D E N T I A L
    33 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION
    Mobile devices are more complex to protect
    Network side
    Not always using your egress point
    Web filtering / network monitoring not applicable
    Endpoint side
    Operating system less open to 3rd party drivers
    Applications isolation
    Not an AV friendly environment

    View Slide

  34. C O N F I D E N T I A L
    34 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE NETWORK
    IDS like features
    Use rulesets specific to mobile malware
    Examples
    Emerging Threats MOBILE_MALWARE rules
    Lookout Mobile Threat Intelligence feed
    Android only AFAIK
    Detect access to non-corporate configuration
    Detect download of IPA files signed with external Enterprise
    Developer accounts

    View Slide

  35. C O N F I D E N T I A L
    35 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    Leverage existing MDM/MAM solution
    Retrieve installed provisioning profiles
    All external ones should be suspicious
    Retrieve installed applications bundle names
    Match known malicious

    View Slide

  36. C O N F I D E N T I A L
    36 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    Command line tools
    ideviceinstaller
    ideviceprovision

    View Slide

  37. C O N F I D E N T I A L
    37 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    Forensics from logs
    installd
    SpringBoard

    View Slide

  38. C O N F I D E N T I A L
    38 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    Forensics from side channels logs
    Battery usage
    Data usage
    Both contain applications name and last executed
    timestamp
    Available from backups

    View Slide

  39. C O N F I D E N T I A L
    39 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    One remark on forensics acquisition
    Enterprise app binaries were never part of the backups
    Since iOS 9 it is the same for AppStore ones
    Still, those are encrypted so not really useful

    View Slide

  40. C O N F I D E N T I A L
    40 ©2016 KUDELSKI GROUP / All rights reserved.
    DETECTION ON THE DEVICES
    Future?
    USB scanning terminal to match known malicious bundles
    Workstation AV scanning connected devices

    View Slide

  41. C O N F I D E N T I A L
    41 ©2016 KUDELSKI GROUP / All rights reserved.
    PROTECTION
    Update devices
    Decrease potential vulnerabilities exploitation
    Prevent known jailbreaking methods
    Device hardening
    iOS security best-practices
    Disable AirDrop
    Force 6-digits passcode

    View Slide

  42. C O N F I D E N T I A L
    42 ©2016 KUDELSKI GROUP / All rights reserved.
    PROTECTION
    Users training
    Do not install 3rd party provisioning profiles
    Do not install applications outside of the AppStore or
    provided by corporate MDM

    View Slide

  43. C O N F I D E N T I A L
    43 ©2016 KUDELSKI GROUP / All rights reserved.
    FOR THOSE READING FRENCH

    View Slide

  44. C O N F I D E N T I A L
    44 ©2016 KUDELSKI GROUP / All rights reserved.
    ACKNOWLEDGEMENTS
    Claud Xiao from Palo Alto for sharing his
    samples with the research community

    View Slide

  45. C O N F I D E N T I A L
    45 ©2016 KUDELSKI GROUP / All rights reserved.

    View Slide