Difference between revisions of "Malware for iOS"

From The iPhone Wiki
Jump to: navigation, search
(first draft)
 
(adding some more examples)
Line 3: Line 3:
 
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.''
 
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.''
   
  +
= Tools found in the wild =
== iKee (November 2009) ==
 
  +
  +
== iKee and Duh (November 2009) ==
   
 
The [[Ikee-virus]] is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.
 
The [[Ikee-virus]] is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.
  +
  +
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."
  +
  +
== "Find and Call" (July 2012) ==
  +
  +
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity].
   
 
== Unflod (April 2014) ==
 
== Unflod (April 2014) ==
Line 14: Line 22:
   
 
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.
 
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.
  +
  +
== AppBuyer (September 2014) ==
  +
  +
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.
   
 
== WireLurker and Masque Attack (November 2014) ==
 
== WireLurker and Masque Attack (November 2014) ==
Line 21: Line 33:
 
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
 
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
   
== AppBuyer (September 2014) ==
+
== KeyRaider (August 2015) ==
   
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity."
+
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."
   
  +
= Tools developed as part of research =
== KeyRaider (August 2015) ==
 
  +
  +
== Instastock (November 2011) ==
   
  +
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."
 
   
 
[[Category:Malware research]]
 
[[Category:Malware research]]

Revision as of 09:21, 1 September 2015

This is an early, incomplete draft list of known malware (including spyware, adware, trojans, viruses, and similar tools) targeting iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.

Please help expand this article with more examples and details! To edit it, you can request an account on TheiPhoneWiki if you don't have one.

Tools found in the wild

iKee and Duh (November 2009)

The Ikee-virus is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.

Two weeks later, the similar Duh worm spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."

"Find and Call" (July 2012)

Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: Kaspersky SecureList, Ars Technica, Sophos NakedSecurity.

Unflod (April 2014)

Unflod is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014.

Hacking Team tools (June 2014)

Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.

AppBuyer (September 2014)

AppBuyer, as discussed in this article by Palo Alto Networks, is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.

WireLurker and Masque Attack (November 2014)

As discussed at Misuse of enterprise and developer certificates: according to Palo Alto Networks, WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."

Masque Attacks are a related technique, also discussed by Palo Alto Networks: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."

KeyRaider (August 2015)

KeyRaider, as discussed in this article by Palo Alto Networks, is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."

Tools developed as part of research

Instastock (November 2011)

Charlie Miller, a security researcher, submitted an app to the App Store called Instastock to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.