The Spy in Your Pocket, Part 2: Cyber Threats to iOS


In this second entry in our short series overviewing mRATs, we’ll delve into the threats facing iOS.
Generally speaking, it’s possible to map five cyber-threats to iOS devices:

  1. 1. Jailbreaking Devices and Installing Mobile Surveillance and mobile Remote Access Trojans (aka mRATs) from Alternative Markets
  2. 2. Using Distribution Certificates to Sideload Malware without Passing through App Store’s Validation Process
  3. 3. Malicious Profiles
  4. 4. Wifi Man-in-the-Middle Attacks
  5. 5. 0-Day System Vulnerabilities and Webkit Exploits

Jailbreaking Devices and Installing Mobile Surveillance and mobile Remote Access Trojans (aka mRATs) from Alternative Markets

These attacks leverage a jailbroken device, which means that all the built-in iOS security mechanisms have been removed.
In turn, an attacker can install a malicious executable, the mRAT. As its name implies, a Remote Access Trojan takes full control of the sensors and the hardware of the mobile device without the owner’s knowledge. You can read more on mRATs and their capabilities in our last blog post.
The thing is that installing an mRAT requires jailbreaking the device.
However, it’s not unusual for iOS users to jailbreak their own device in order to allow them to install any iOS application they want – not just those from Apple’s proprietary store.
Attackers can also jailbreak an iOS device themselves, by physically obtaining access to the device or propagating the jailbreak code from a compromised computer through a USB cable.
Once a device is jailbroken, attackers can then proceed to install the mRAT of their choice. One method attackers do this is by disguising their wares within an application distributed in a third party app store for an unwitting user to download.
Once the mRAT is installed, it also removes any visible traces of the device’s jailbroken state.

Using Distribution Certificates to Sideload Malware without Passing through App Store’s Validation Process

In this attack, malicious software accompanied by certificates validated by Apple, but not representative of a trusted organization, are installed on a device using the Apple iOS operating system (OS).
Certificates in this sense are validation stamps that Apple grants to organizations that agree to adhere to Apple’s guidelines. There are two such kinds of certificates:

  1. 1. Developer certificates, which allow developers to test their apps before they go public on the Apple app store.
  2. 2. Enterprise certificates, which provide organizations the opportunity to establish their own, in-house marketplace for dedicated apps.

Behind the scenes, Apple validates an app is signed by a trusted certificate before allowing it to be side-loaded on the device. In other words, Apple verifies that the app can be installed not through the App Store.
If attackers are able to obtain a certificate, they can use it to validate their malware and install it on any iOS-based device without passing it through the App Store’s vetting process.
It’s important to note, that given the volume of apps, it is very difficult for Apple to monitor the use of certificates. As a result, attacks have started to emerge, such as the FinFisher mRAT which uses these certificates.
Also in this attack, the malware can act as an mRAT, enabling the attacker to take full control of the device.

Malicious Profiles

In this type of attack, an attacker tricks the user to install a device configuration profile which changes the device and network settings.
In general, a profile is an extremely sensitive optional configuration file which allows re-defining different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings.
A user is typically tricked to download a malicious profile. By doing so, the user unknowingly provides the rogue configuration the ability to re-route all traffic from the mobile device to an attacker-controlled server, further install rogue apps, and even decrypt communications.
The disturbing reality is that attackers are not the only ones distributing profiles to re-configure the device settings. Also legitimate and popular companies have found profiles a viable way to enhance their offering. This, for instance, is what LinkedIn did a few months ago with its LinkedIn Intro. LinkedIn Intro was a configuration profile which re-routed incoming emails through LinkedIn servers in order to add the sender’s details to the received emails.

Wifi Man-in-the-Middle Attacks

In these attacks, the user usually believes that they are interacting with a known, trusted entity – typically a web site. Behind the scenes, however, the adversary can eavesdrop on the session. An attacker can even alter the encrypted network’s communication (i.e. SSL) by using spoofed certificates or downgrading the communication link. In effect, the communications become completely open to the attacker.
Man in the Middle attacks exist also in the PC world. However, these attacks are exacerbated in the mobile world where the typical alert and warning signs that individuals are used to noticing on PCs and laptops are much more subtle in their mobile counterparts.
More so, with limited screen real estate, URLs are hidden from the user, so it’s harder for them to validate the URL the browser is pointing to is actually the intended one.

0-Day System Vulnerabilities and Webkit Exploits

The risk here is of system vulnerabilities that are exploited to allow the attacker to jailbreak the device without leaving any trace.
Many times, these vulnerabilities lead to the silent installation of mRATs on a device through a remote exploitation technique.
These zero-day vulnerabilities are vulnerabilities that have been uncovered – but not yet released. With vulnerability researchers earning purportedly $500K per vulnerability, uncovering vulnerabilities has become a very profitable line of business.
Dozens of Webkit vulnerabilities affecting the iOS-browser were uncovered in the past year.
Webkit vulnerabilities are significant since they allow the attacker to execute any script and are commonly used by attackers as a springboard for remote infection of the device. Unfortunately, in the past year, dozens of WebKit vulnerabilities affecting the iOS-browser were uncovered.