AppBuyer iOS Malware Targets Jailbroken iPhones

Researchers at Palo Alto Networks analyzed a piece of malware targeting owners of jailbroken iPhones that steals the vicitm’s Apple ID and password information and makes purchases from the App Store.

The malware has been appropriately dubbed ‘AppBuyer’. According to Palo Alto Networks, the malware was mentioned first by members of the WeiPhone Technical Group in May, when they remotely assisted a user in finding out why certain apps periodically had been installed onto his device. They ultimately located two strange files that would download, execute and delete other executable files.

“We still don’t know how the AppBuyer malware was installed onto jailbroken iOS devices,” blogged researcher Claud Xiao. “There’re some possibilities that include through malicious Cydia Substrate tweak (like Trojan.iOS.AdThief) hosted in third-party Cydia sources, through other PC malware, through a PC jailbreaking utility, or possibly some other unknown ways.”

What the researchers do know is that after the devices were infected, two files appear in the file system – /System/Library/LaunchDaemons/com.archive.plist and bin/updatesrv. The com.archive.plist is a launchd daemon configuration file that specified that every 7,200 seconds (or 2 hours) the /bin/updatesrv will be loaded and run.

At first, updatesrv will connect to http ://www.jb-app.com/updatesrv.aspx?f=1 to fetch configuration of local UUID file path: /etc/uuid. Then it reads the UUID from this file and constructs the second URL: http: //www.jb-app.com/updatesrv.aspx?f=2&uuid=<UUID>, Xiao explained.

“The updatesrv will then determine whether the server returns “IDLE”,” he blogged. “If so, it will exit immediately; otherwise, it will download two files from the server, rename them as /tmp/u1 and /tmp/u2, then execute the first one, and lastly delete all of the files. During the course of our analysis, we found that after updatesrv executes three times, the server will always return IDLE.”

During the first execution, the updatesrv will determine if /etc/uuid exists; if it doesn’t, the second URL will have no UUID value. At that point, updatesrv will download two files named u1 and u2 using the following URLs:

• http: //www.jb-app.com/u1
• http: //www.jb-app.com/u2

“The code in u1’s  is quite simple, it generates a new UUID by combining the current time, a random number between 0 to 9999 and current process ID, and stores it into /etc/uuid,” the researcher wrote. “The u2 file simply contains the character “1”, but this is not used by the code.”

After the UUID generated, the second execution of updatesrv accesses the URL with the UUID value:

• http://www.jb-app.com/updatesrv.aspx?f=2&uuid=[uuid]

The server returns u1_80 and u2_80 as results, then downloads files from:

• http://www.jb-app.com/u1_80
• http://www.jb-app.com/u2_80

The code in u1_80 simply copies u2_80 into /Library/MobileSubstrate/DynamicLibraries/aid.dylib. The u2_80 will be loaded by the Cydia Substrate framework later on. The u2_80 is a Cydia Substrate tweak. After it is loaded it will hook the (void)connectionDidFinishLoading:(id)arg1; method of the ISURLOperation class. It uses this hook to capture every HTTP or HTTPS request made by the victim’s device and inspect the traffic for the user’s apple ID, GUID (Globally Unique Identifier) or password.

In the third execution cycle, the malware uses the victim’s information to buy apps from the official App Store.

“We highly recommend iOS users not jailbreak their devices,” blogged Xioa. “AdThief, another iOS malware found by Palo Alto Networks in this year, which also targets jailbroken iOS devices, has infected more than 75,000 devices. Another example is Unflod, which is a malicious Cydia Substrate tweak, will steal a victim’s Apple ID in the similar way.”

The full technical write-up can be found here.