iOS malware: myth or reality?

C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.
iOS MALWARE : MYTH OR REALITY?
Julien Bachmann
@milkmix_

View Slide

INTRODUCTION

View Slide

C O N F I D E N T I A L
3 ©2016 KUDELSKI GROUP / All rights reserved.
2010 2011 2012 2013 2014 2015
SOME HISTORY ON BANKING MALWARE
Zeus
SpyEye
Carberp
HesperBot
Android.iBanking
Android.BankBot
Android.bankosy

View Slide

ONLY AN ANDROID PROBLEM RIGHT?
Two facts to consider
iOS malware is a real thing, even if less widespread now
If you are using iOS in your enterprise you might be at risk
src: Verizon DBIR 2015

View Slide

2009 2012 2014 2015 2016
SOME HISTORY ON iOS MALWARE
iKee (ssh)
Find and Call
AdThief
Unflod
WireLurker
XcodeGhost
YiSpecter
Muda
ZergHelper
AceDeceiver

View Slide

QUICK RECAP ON iOS SECURITY

View Slide

APPLICATIONS INSTALLATION
Limited number of installation paths
Closed platform well restricted by Apple
Only authorized methods controlled by Apple on non-
jailbroken device

View Slide

AppStore
AdHoc / self signed
In House
3rd party stores (jailbreak)

View Slide

AppStore
Require Developer certificate
Applications are reviewed
In House
Common method for enterprise applications
Require Enterprise Developer account
Require Provisioning profile installed on device
Ad Hoc
Used during development
Limited to 100 devices with provisioned UDID
Self signed
New with iOS 9 and Xcode 7, sign for personal devices

View Slide

The jailbroken case
Several advantages while jailbreaking a device
Allows to validate security of applications
But disable code signing validations
Allows installing applications from untrusted sources

View Slide

APPLICATIONS RESTRICTIONS
Limitations put in place by Apple
Applications running in a sandbox
Seat-Belt
Limited access to filesystem and resources
Applications are isolated from one another
Requested accesses validated on the AppStore
Some limitations may apply…

View Slide

HOW DEVICES ARE INFECTED?
Mostly phishing
Lure users into installing malicious application
Download link in emails / messages
Used it before in phishing campaign for customer : ~10%
No exploits and watering hole?
Exploitation of software vulnerabilities through the browser
Possible but remote code execs are expensive on iOS

View Slide


View Slide

Traffic injection
From the public news, most cases currently in Asia
DNS redirects in China
Attacks on mobile devices through fake eNodeB
Physical attacks
Through MobileDevice framework on USB/WiFi
AirDrop software flaws
Code injection
Ex. JSPatch

View Slide

Physical attacks
Through MobileDevice framework on USB/WiFi

View Slide

CODE SIGNING?
Phishing is not enough
Code signing still performed by iOS
Except on jailbroken devices
Ad Hoc
Too complicated, requires UDID
Leaks in the past years, limited now with Apple restrictions
Potentially on very targeted attacks
Enterprise Developer Certificate
User validation
Certificate can be easily revoked by Apple upon detection

View Slide

CODE SIGNING?
Enterprise Developer Certificate

View Slide

CODE SIGNING?
Recently in the news
“Malware bypassing Apple code signing mechanism”
AceDeceiver
Truth (explanation w/o the hype)
Still requires to be published and accepted by Apple at least
once in one of the stores (US, CH, CN, …)
Can use geolocation of incoming IP addresses to
enable/disable features in the code
Possible to exploit design flaw in the validation process
when installing from iTunes on Mac/PC
Allows to install the malware from Mac/PC even if certificate
revoked

View Slide

CODE SIGNING?
http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

View Slide

MALICIOUS ACTIONS

View Slide

APPSTORE PERMISSIONS
Audio recording
Easily performed through the API
When in background applications are preempted by iOS
Except if defined as background application
Ribbon displayed to the user
Keylogging
Since iOS8 : extensions (keyboard, browser filtering, …)
Isolated from standard application so no access to Internet
or files…
… except if requested

View Slide

KEYLOGGING FROM THE APPSTORE
User’s validation

View Slide

PRIVATE API
In the news

View Slide

SANDBOX IS LIMITING ACTIONS RIGHT?
Entitlements
1. Developers should specify entitlements at compilation
• http://newosxbook.com/ent.jl
2. Validated by the AppStore
3. Some additional rights for selected partners
4. Enforced on device by seat-belt
Private API
Forbidden by Apple in the guidelines
Still requires entitlements to access data due to sandbox
Does not break applications isolation principle
Would require to elevate privileges to do so
Or flaws in the private APIs validation mechanism (Stefan Esser app)
Difficult to detect with automated analysis (static and dynamic)

View Slide

Entitlements

View Slide

Listing private APIs functions
Nicolas Seriot online list
Using classdump-dyld on a jailbroken device
Calling private APIs
Can be called directly
Through dynamic loading
dlopen / dlsym
Using Objective-C reflection property

View Slide

Listing private APIs functions

View Slide

When linked
Objective-C reflection

View Slide

THE IN HOUSE CASE
Entitlements
Defined at compilation
Not validated by Apple outside of the AppStore flow
As seen allows to use more sensitive Private API functions
Offers more possibilities
CoreTelephony framework
Notifications on calls or messages
IMSI / IMEI retrieval
Install applications
Access private information
…

View Slide

NON-APPLICATION BASED ATTACKS

View Slide

CONFIGURATION PROFILES
Probably used in your organization
Configure email client
Device certificate
Corporate WiFi credentials
…
Also used by attackers
Define proxy and install CA for SSL interception
Required to run Enterprise Developer signed applications

View Slide

PROTECTION AND DETECTION

View Slide

DETECTION
Mobile devices are more complex to protect
Network side
Not always using your egress point
Web filtering / network monitoring not applicable
Endpoint side
Operating system less open to 3rd party drivers
Applications isolation
Not an AV friendly environment

View Slide

DETECTION ON THE NETWORK
IDS like features
Use rulesets specific to mobile malware
Examples
Emerging Threats MOBILE_MALWARE rules
Lookout Mobile Threat Intelligence feed
Android only AFAIK
Detect access to non-corporate configuration
Detect download of IPA files signed with external Enterprise
Developer accounts

View Slide

DETECTION ON THE DEVICES
Leverage existing MDM/MAM solution
Retrieve installed provisioning profiles
All external ones should be suspicious
Retrieve installed applications bundle names
Match known malicious

View Slide

Command line tools
ideviceinstaller
ideviceprovision

View Slide

Forensics from logs
installd
SpringBoard

View Slide

Forensics from side channels logs
Battery usage
Data usage
Both contain applications name and last executed
timestamp
Available from backups

View Slide

One remark on forensics acquisition
Enterprise app binaries were never part of the backups
Since iOS 9 it is the same for AppStore ones
Still, those are encrypted so not really useful

View Slide

Future?
USB scanning terminal to match known malicious bundles
Workstation AV scanning connected devices

View Slide

PROTECTION
Update devices
Decrease potential vulnerabilities exploitation
Prevent known jailbreaking methods
Device hardening
iOS security best-practices
Disable AirDrop
Force 6-digits passcode
…

View Slide

PROTECTION
Users training
Do not install 3rd party provisioning profiles
Do not install applications outside of the AppStore or
provided by corporate MDM

View Slide

FOR THOSE READING FRENCH

View Slide

ACKNOWLEDGEMENTS
Claud Xiao from Palo Alto for sharing his
samples with the research community

View Slide


View Slide

iOS malware: myth or reality?

iOS malware: myth or reality?

Julien Bachmann

More Decks by Julien Bachmann

Other Decks in Technology

Featured

Transcript