Connect with us

Hi, what are you looking for?


Mobile & Wireless

“SandJacking” Attack Allows Hackers to Install Evil iOS Apps

Chilik Tamir - SandJacking at HITB

Chilik Tamir - SandJacking at HITB

AMSTERDAM – HACK IN THE BOX – An unpatched iOS vulnerability can be exploited to replace legitimate applications with a rogue version that allows attackers to access sensitive information without raising any suspicion.

Developing malware that targets Apple’s iOS operating system is not an easy task. First of all, every application designed for iOS runs in a sandbox that prevents other processes from accessing it and its associated data. Protecting the sandbox is very important because it can contain documents, databases, libraries and cookies – all of which can expose highly sensitive information.

Apple is also trying to prevent malware from getting on iPhones and iPads by requiring all applications distributed via the company’s official app store to be signed with a certificate that can only be obtained following a thorough identification process. Furthermore, the behavior of these apps is carefully reviewed by Apple, and installations must be validated on the device.

Despite these protections, there have been several pieces of malware that managed to infect numerous devices over the past years by leveraging various design flaws and loopholes. The list includes WireLurker, YiSpecter, XCodeGhost, ZergHelper, and AceDeceiver.

Abusing Apple certificates to install malware

Chilik Tamir, a security researcher at Mountain View, CA-based mobile security firm Mi3 Security, has discovered some new attack methods that can be used to install malicious applications on non-jailbroken iOS devices, including one that Apple has yet to address.

At the recent Black Hat Asia conference, the expert demonstrated how an attacker can exploit a developer feature introduced recently by Apple to install malware on devices.

With the introduction of Xcode 7, Apple has started allowing individual developers to create iOS apps using certificates that can be obtained by simply providing an Apple ID. Creating an Apple ID is easy and the only information a user needs to provide to register one is a name and an email address – none of which necessarily need to be real.

Advertisement. Scroll to continue reading.

These types of certificates are offered for applications whose developers don’t want to upload them to the App Store, which means they’re not subjected to Apple’s application review. The capabilities of these apps are limited compared to regular applications for which developers have to go through a proper verification process to obtain certificates. More precisely, these apps are not allowed to access Apple Pay, application domains, the game center, iCloud, in-app purchase features, the passbook/wallet, and they cannot use push notifications.

However, apps created with these “anonymous” certificates can still be used to conduct tasks that could be useful for a piece of malware, such as obtaining GPS data, accessing the victim’s address book and calendar, exfiltrating exif data, and accessing HealthKit, which is used for health and fitness apps.

Su-A-Cyder attack

At Black Hat Asia, Tamir released a proof-of-concept (PoC) tool called “Su-A-Cyder” that can be used to quickly replace a legitimate app on an iOS device with a rogue version that it creates. The program created with this tool acts the same as the legitimate app, but it contains malicious capabilities that give attackers complete control and access to the application.

Since Su-A-Cyder is designed to replace legitimate apps with malicious ones when the targeted phone is connected to a computer, the tool and the threat vector it leverages are most suitable for highly targeted attacks where the attacker has physical access to a device and knows its passcode.

However, as Tamir pointed out, there are several plausible scenarios where such an attack would work. For example, an individual who wants to spy on his spouse or children, phone repair shop workers who are given access to numerous devices, and even in corporate environments where it’s not uncommon for employees to hand over their devices to IT personnel.

Before the release of iOS 8.3, it was easy to replace a legitimate application on an iPhone with a rogue version by simply assigning the malicious app a similar identifier (bundle ID) and installing it on the device – overwriting the original application with the rouge version. Apple realized the potential for abuse and starting with iOS 8.3 it prevents the installation of an app that has an ID similar to an existing one.

SandJacking attack

Tamir discovered a new method, which he dubbed “SandJacking,” that still allows attackers to use the Su-A-Cyder technique even against the latest iOS version.

The problem, according to the expert, is that while Apple patched the installation process to ensure that legitimate apps cannot be replaced, it neglected the restore process. This allows an attacker with access to the device to create a backup, remove the legitimate app, install the malicious version, and then restore the device from the backup. The restoration process does not remove the malicious app, giving the attacker access to user data associated with that application.

It’s worth noting that the malicious application only gives access to the sandbox of the app it replaces. This means that an attacker needs to create malicious versions for each of the targeted applications. However, Tamir believes this is not an issue considering that the entire process can be automated.

Tamir demonstrated the SandJacking attack at the Hack In The Box (HITB) conference in Amsterdam on Thursday using Skype as the targeted application. However, the researcher told SecurityWeek in an interview that SandJacking attacks have been successfully tested against numerous popular applications.

Once a rogue application is installed, it’s unlikely that the victim will discover that it’s not the original – they would have to check the app’s certificate and the device’s provisioning settings to see that it’s not from the legitimate developer.

The vulnerability was discovered in December 2015 and reported to Apple in January. The tech giant has confirmed the issue, but a patch has yet to be developed. Once Apple addresses the flaw, Tamir will release a SandJacker tool that automates the entire process of pushing malicious apps to iOS devices via the SandJacking vulnerability.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.