AMSTERDAM – HACK IN THE BOX – An unpatched iOS vulnerability can be exploited to replace legitimate applications with a rogue version that allows attackers to access sensitive information without raising any suspicion.
Developing malware that targets Apple’s iOS operating system is not an easy task. First of all, every application designed for iOS runs in a sandbox that prevents other processes from accessing it and its associated data. Protecting the sandbox is very important because it can contain documents, databases, libraries and cookies – all of which can expose highly sensitive information.
Apple is also trying to prevent malware from getting on iPhones and iPads by requiring all applications distributed via the company’s official app store to be signed with a certificate that can only be obtained following a thorough identification process. Furthermore, the behavior of these apps is carefully reviewed by Apple, and installations must be validated on the device.
Despite these protections, there have been several pieces of malware that managed to infect numerous devices over the past years by leveraging various design flaws and loopholes. The list includes WireLurker, YiSpecter, XCodeGhost, ZergHelper, and AceDeceiver.
Abusing Apple certificates to install malware
Chilik Tamir, a security researcher at Mountain View, CA-based mobile security firm Mi3 Security, has discovered some new attack methods that can be used to install malicious applications on non-jailbroken iOS devices, including one that Apple has yet to address.
At the recent Black Hat Asia conference, the expert demonstrated how an attacker can exploit a developer feature introduced recently by Apple to install malware on devices.
With the introduction of Xcode 7, Apple has started allowing individual developers to create iOS apps using certificates that can be obtained by simply providing an Apple ID. Creating an Apple ID is easy and the only information a user needs to provide to register one is a name and an email address – none of which necessarily need to be real.
These types of certificates are offered for applications whose developers don’t want to upload them to the App Store, which means they’re not subjected to Apple’s application review. The capabilities of these apps are limited compared to regular applications for which developers have to go through a proper verification process to obtain certificates. More precisely, these apps are not allowed to access Apple Pay, application domains, the game center, iCloud, in-app purchase features, the passbook/wallet, and they cannot use push notifications.
However, apps created with these “anonymous” certificates can still be used to conduct tasks that could be useful for a piece of malware, such as obtaining GPS data, accessing the victim’s address book and calendar, exfiltrating exif data, and accessing HealthKit, which is used for health and fitness apps.
At Black Hat Asia, Tamir released a proof-of-concept (PoC) tool called “Su-A-Cyder” that can be used to quickly replace a legitimate app on an iOS device with a rogue version that it creates. The program created with this tool acts the same as the legitimate app, but it contains malicious capabilities that give attackers complete control and access to the application.
Since Su-A-Cyder is designed to replace legitimate apps with malicious ones when the targeted phone is connected to a computer, the tool and the threat vector it leverages are most suitable for highly targeted attacks where the attacker has physical access to a device and knows its passcode.
However, as Tamir pointed out, there are several plausible scenarios where such an attack would work. For example, an individual who wants to spy on his spouse or children, phone repair shop workers who are given access to numerous devices, and even in corporate environments where it’s not uncommon for employees to hand over their devices to IT personnel.
Before the release of iOS 8.3, it was easy to replace a legitimate application on an iPhone with a rogue version by simply assigning the malicious app a similar identifier (bundle ID) and installing it on the device – overwriting the original application with the rouge version. Apple realized the potential for abuse and starting with iOS 8.3 it prevents the installation of an app that has an ID similar to an existing one.
Tamir discovered a new method, which he dubbed “SandJacking,” that still allows attackers to use the Su-A-Cyder technique even against the latest iOS version.
The problem, according to the expert, is that while Apple patched the installation process to ensure that legitimate apps cannot be replaced, it neglected the restore process. This allows an attacker with access to the device to create a backup, remove the legitimate app, install the malicious version, and then restore the device from the backup. The restoration process does not remove the malicious app, giving the attacker access to user data associated with that application.
It’s worth noting that the malicious application only gives access to the sandbox of the app it replaces. This means that an attacker needs to create malicious versions for each of the targeted applications. However, Tamir believes this is not an issue considering that the entire process can be automated.
Tamir demonstrated the SandJacking attack at the Hack In The Box (HITB) conference in Amsterdam on Thursday using Skype as the targeted application. However, the researcher told SecurityWeek in an interview that SandJacking attacks have been successfully tested against numerous popular applications.
Once a rogue application is installed, it’s unlikely that the victim will discover that it’s not the original – they would have to check the app’s certificate and the device’s provisioning settings to see that it’s not from the legitimate developer.
The vulnerability was discovered in December 2015 and reported to Apple in January. The tech giant has confirmed the issue, but a patch has yet to be developed. Once Apple addresses the flaw, Tamir will release a SandJacker tool that automates the entire process of pushing malicious apps to iOS devices via the SandJacking vulnerability.