iOS malware: what's the risk and how to reduce it

C O N F I D E N T I A L ©2016 KUDELSKI GROUP / All rights reserved.

iOS malware : what’s the risk and how to reduce itJulien Bachmann

Expert Security Researcher@milkmix_

INTRODUCTION

3©2016 KUDELSKI GROUP / All rights reserved.

2010 2011 2012 2013 2014 2015

SOME HISTORY ON BANKING MALWARE

Zeus

SpyEye

Carberp

HesperBot

Android.iBanking

Android.BankBot

Android.bankosy


Only an Android problem right?

• Two facts to consider• iOS malware is a real thing, even if less widespread now• If you are using iOS in your enterprise you might be at risk

src: Verizon DBIR 2015


Some history on iOS malware

2009 2012 2014 2015 2016

iKee (ssh)

Find and Call

AdThief

Unflod

WireLurker

XcodeGhost

YiSpecter

Muda

ZergHelper

AceDeceiver

Trident

QUICK RECAP ON iOS SECURITY


Applications installation

• Limited number of installation paths• Closed platform well restricted by Apple• Only authorized methods controlled by Apple on non-jailbroken device



AppStore

AdHoc / self signed

In House

3rd party stores (jailbreak)



• AppStore• Require Developer certificate• Applications are reviewed

• In House• Common method for enterprise applications• Require Enterprise Developer account• Require Provisioning profile installed on device

• Ad Hoc• Used during development• Limited to 100 devices with provisioned UDID

• Self signed• New with iOS 9 and Xcode 7, sign for personal devices



• The jailbroken case• Several advantages while jailbreaking a device• Allows to validate security of applications• But disable code signing validations• Allows installing applications from untrusted sources


Applications restrictions

• Limitations put in place by Apple• Applications running in a sandbox

• Seat-Belt• Limited access to filesystem and resources• Applications are isolated from one another• Requested accesses validated on the AppStore

• Some limitations may apply…


How devices are infected?

• Mostly spear-phishing• Lure users into installing malicious application• Download link in emails / messages• Used it before in phishing campaign for customer : ~10%

• No exploits and watering hole?• Exploitation of software vulnerabilities through the browser• Possible and seen but remote code execs to drop malware are expensive

and complex on iOS• Pegasus/Trident attack





• Pegasus / Trident1. WebKit vulnerability2. Kernel infoleak3. Kernel memory corruption4. Another JS related vulnerability to persist



• Traffic injection• From the public news, most cases currently in Asia• DNS redirects in China• Attacks on mobile devices through fake eNodeB

• Physical attacks• Through MobileDevice framework on USB/WiFi• AirDrop software flaws

• Code injection• Ex. JSPatch



• Physical attacks• Through MobileDevice framework on USB/WiFi


Code signing?

• Phishing is not enough• Code signing still performed by iOS• Except on jailbroken devices or if software vulnerability gets exploited

• Ad Hoc• Too complicated, requires UDID• Leaks in the past years, limited now with Apple restrictions• Potentially on very targeted attacks

• Enterprise Developer Certificate• User validation• Certificate can be easily revoked by Apple upon detection


Code signing?

• Enterprise Developer Certificate


Code signing?

• A few months in the news• “Malware bypassing Apple code signing mechanism”• AceDeceiver

• Truth (explanation w/o the hype)• Still requires to be published and accepted by Apple at least once in one of

the stores (US, CH, CN, …)• Can use geolocation of incoming IP addresses to enable/disable features in

the code• Possible to exploit design flaw in the validation process when installing from

iTunes on Mac/PC• Allows to install the malware from Mac/PC even if certificate revoked


Code signing?

http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

MALICIOUS ACTIONS


AppStore permissions

• Audio recording• Easily performed through the API• When in background applications are preempted by iOS

• Except if defined as background application• Ribbon displayed to the user

• Keylogging• Since iOS8 : extensions (keyboard, browser filtering, …)• Isolated from standard application so no access to Internet or files…• … except if requested


Keylogging from the appstore

• User’s validation


Private API

• In the news


Sandbox is limiting actions right?• Entitlements

1. Developers should specify entitlements at compilation• http://newosxbook.com/ent.jl

2. Validated by the AppStore3. Some additional rights for selected partners4. Enforced on device by seat-belt

• Private API• Forbidden by Apple in the guidelines• Still requires entitlements to access data due to sandbox• Does not break applications isolation principle

• Would require to elevate privileges to do so• Or flaws in the private APIs validation mechanism (Stefan Esser app)

• Difficult to detect with automated analysis (static and dynamic)


Sandbox is limiting actions right?

• Entitlements



• Listing private APIs functions• Nicolas Seriot online list• Using classdump-dyld on a jailbroken device

• Calling private APIs• Can be called directly• Through dynamic loading

• dlopen / dlsym

• Using Objective-C reflection property



• Listing private APIs functions



• When linked

• Objective-C reflection


The In house case

• Entitlements• Defined at compilation• Not validated by Apple outside of the AppStore flow• As seen allows to use more sensitive Private API functions

• Offers more possibilities• CoreTelephony framework

• Notifications on calls or messages• IMSI / IMEI retrieval

• Install applications• Access private information• …


The jailbroken case

• Game over• Everything is possible• Ex:

• Modifying vm_map_protect to allow RWX pages• Injecting code in processes to gain access to their data• Direct access to applications files• Send / receive SMS• …

NON-APPLICATION BASED ATTACKS


Configuration profiles

• Probably used in your organization• Configure email client• Device certificate• Corporate WiFi credentials• …

• Also used by attackers• Define proxy and install CA for SSL interception• Required to run Enterprise Developer signed applications

PROTECTION AND DETECTION


Detection

• Mobile devices are more complex to protect

• Network side• Not always using your egress point• Web filtering / network monitoring not applicable

• Endpoint side• Operating system less open to 3rd party drivers• Applications isolation• Not an AV friendly environment


Detection on the network

• IDS like features• Use rulesets specific to mobile malware• Examples

• Emerging Threats MOBILE_MALWARE rules• Lookout Mobile Threat Intelligence feed

• Android only

• Detect access to non-corporate configuration • Detect download of IPA files signed with external Enterprise Developer

accounts


Detection on the devices

• Leverage existing MDM/MAM solution• Retrieve installed provisioning profiles• All external ones should be suspicious

• Retrieve installed applications bundle names• Match known malicious



• Command line tools• ideviceinstaller• ideviceprovision



• Forensics from logs• installd• SpringBoard



• Forensics from side channels logs• Battery usage• Data usage• Both contain applications name and last executed timestamp• Available from backups



• One remark on forensics acquisition• Enterprise app binaries were never part of the backups• Since iOS 9 it is the same for AppStore ones



• Future?• USB scanning terminal to match known malicious bundles• Workstation AV scanning connected devices


Protection

• Update devices• Decrease potential vulnerabilities exploitation• Prevent known jailbreaking methods

• Device hardening• iOS security best-practices

• Disable AirDrop• Force 6-digits passcode• …


Protection

• Users training• Do not install 3rd party provisioning profiles• Do not install applications outside of the AppStore or provided by corporate

MDM


Freely available


Acknowledgements

• Claud Xiao from Palo Alto for sharing his samples with the research community


Thank You

Julien BachmannExpert Security ResearcherSecurity Research Unit

Email: julien.bachmann __at__ kudelskisecurity.com

Software

iOS malware: what's the risk and how to reduce it