We previously have described the threats of Masque Attacks against iOS in a series of blogs [2,3,4]. Up until now, these attacks had never bee seen carried out in the wild, highlighting that advanced threats were not utilizing mobile to carry out their attacks despite rapid user adoption. However, FireEye has recently uncovered 11 iOS apps within the Hacking Team’s arsenals that utilize Masque Attacks, marking the first instance of targeted iOS malware being used against non-jailbroken iOS devices.
These apps are reverse engineered and weaponized versions of popular social networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. Unlike the normal versions of these apps, they come with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3.
Note that the bundle identifiers are actually configurable by the remote attackers. So for iOS devices above 8.1.3, although the Masque Attack vulnerability has been fixed (apps with the same bundle identifiers cannot replace each other), the attackers can still use a unique bundle identifier to deploy the weaponized app. In this scheme, the attack falls back to the Enpublic attack[1].
Fig 5. shows an example of the runtime behavior of the repackaged Facebook app. Upon launching the app, three consecutive alerts are popped up asking for permission of access the Photo, Microphone, and Contacts.
As shown in Fig. 6, those malicious Masque Attack apps leverage the LC_LOAD_DYLIB command of the MachO format to inject a malicious dylib (named “_PkgSign”) into the genuine executable file. This dylib implements the core malicious logic.
Since each Masque Attack app has different internals, the dylib needs to hook different methods for data exfiltration. As listed in Table 1, the malicious dylib maps each Masque Attack app an id prefixed by “TIGI000” and a customized class for managing the malicious behaviors controlled by the remote server.
APPID | Malicious Manager Class Name | Bundle ID of Masque Attack App |
---|---|---|
TIGI00001
|
POViewConnection
|
com.skype.skype
|
TIGI00002
|
POViewAsynService
|
com.viber
|
TIGI00003
|
POViewRegistration
|
net.whatsapp.WhatsApp
|
TIGI00004
|
_bvbcccyytr
|
com.facebook.Facebook
|
TIGI00006
|
POViewDataManager
|
com.facebook.Messenger
|
TIGI00008
|
POViewLogger
|
com.google.chrome.ios
|
TIGI00009
|
VKMessageManager
|
com.vk.vkclient
|
TIGI00010
|
TelegramManager
|
ph.telegra.Telegraph
|
TIGI00011
|
BBMManager
|
com.blackberry.bbm1
|
TIGI00012
|
WechatManager
|
com.tencent.xin
|
TIGI00013
|
TwitterManager
|
com.atebits.Tweetie2
|
...
|
...
|
...
|
Table 1: The mapping of handler class to the bundle id of each Masque Attack app
The injected dylib hooks 52 sensitive functions of 38 classes in the genuine executables. All of the hooked class methods correspond to key functionalities of the genuine apps. For example, hooking “[
SKPConversation OnMessage:andMessageobjectid:
]” to intercept messages in Whats App and “[VideoVoipCallerView OnBeginTalk:
]” to start recording a outgoing voice call in Wechat App.
The injected dylib is acting as part of the apps executable file and can read/modify the all data in the app’s containers to gather sensitive information and send them to the remote server. The information includes:
- Voice call recording in Skype, Wechat, etc.
- Text message intercepting in Skype, Whats App, Facebook messenger, etc.
- Chrome visited website history
- Phone call
- SMS/iMessage content
- Precise GPS coordinate recording in background
- Contacts information
- Photos
Of special note, the dylib has the capability to upload data only from targeted users. It sends the IMEI to the remote server to check if the target device is of interest. The server will instruct whether to exfiltrate data or not. However, we have found logic to bypass the check if the SKIP-LICENSE key is set to 1 in the keychain. So local colludes can set this value to 1 to force data exfiltrating if they find the victim of value.
Finally, all data are reassembled in Json format and sent to the remote server.Fig. 8 shows an example of the uploaded data (actual values anonymized). The items field contains different types of data such as the chat data for the communication apps, geo location information, phone call history, etc.
Configurable via URL scheme
The remote server and malicious behaviors are configurable through URL. In each repackaged sample, we found a customized URL scheme is added to the Info.plist file. The URL schemes follow the pattern “TIGI0000X://”, which is exactly the same as APPID column listed in Table 1.
By hooking the “application:openURL:sourceApplication:annotation:” function, the malicious dylib can parse the configure data when the URL scheme is opened. The configure data is serialized in JSON format, encoded in Base64 and appended right after the customized URL scheme. The attacker can lure the targeted victims to click such URLs via SMS/Email/Web page on the device and customize targeted configurations such as the remote server.
Conclusion
From the attack tools leaked from the Hacking Team, we have now seen that advanced targeted attacks against iOS devices have begun to emerge. We encourage all iOS users to always update their devices to the latest version of iOS and pay close attention to the avenues that they download their apps.
No comments:
Post a Comment