The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malware for iOS"
(adding more) |
(more info) |
||
Line 2: | Line 2: | ||
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install]. |
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install]. |
||
+ | |||
+ | Some context: |
||
+ | * Some of these tools targeted old iOS versions and do not work on current iOS versions. |
||
+ | * Some of these are harmful and some are merely annoying. |
||
+ | * Some of these are built to target specific people instead of the general public. |
||
+ | * Many of these require the device to be jailbroken, but some work on non-jailbroken devices. |
||
+ | * Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute. |
||
+ | |||
+ | For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014). |
||
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'' |
''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'' |
||
Line 9: | Line 18: | ||
=== iKee and Duh (November 2009) === |
=== iKee and Duh (November 2009) === |
||
− | The [[Ikee-virus]] is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley. |
+ | The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley. |
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet." |
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet." |
||
Line 15: | Line 24: | ||
=== "Find and Call" (July 2012) === |
=== "Find and Call" (July 2012) === |
||
− | Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. |
+ | Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall. |
=== FinSpy Mobile (August 2012) === |
=== FinSpy Mobile (August 2012) === |
||
Line 27: | Line 36: | ||
=== Unflod (April 2014) === |
=== Unflod (April 2014) === |
||
− | [[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. |
+ | [[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds". |
=== Hacking Team tools (June 2014 and July 2015) === |
=== Hacking Team tools (June 2014 and July 2015) === |
||
Line 102: | Line 111: | ||
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." |
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." |
||
+ | |||
+ | === Trapsms === |
||
+ | |||
+ | Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages." |
||
[[Category:Malware research]] |
[[Category:Malware research]] |
Revision as of 12:07, 1 September 2015
This is an incomplete draft list of known malware (including spyware, adware, trojans, viruses, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out this guide to making informed guesses about whether packages are reasonable to install.
Some context:
- Some of these tools targeted old iOS versions and do not work on current iOS versions.
- Some of these are harmful and some are merely annoying.
- Some of these are built to target specific people instead of the general public.
- Many of these require the device to be jailbroken, but some work on non-jailbroken devices.
- Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.
For an earlier list of known malware, see "iOS Malware Does Exist" (June 2014).
Please help expand this article with more examples and details! To edit it, you can request an account on TheiPhoneWiki if you don't have one.
Contents
- 1 Tools found in the wild
- 1.1 iKee and Duh (November 2009)
- 1.2 "Find and Call" (July 2012)
- 1.3 FinSpy Mobile (August 2012)
- 1.4 AdThief/Spad (March and August 2014)
- 1.5 Unflod (April 2014)
- 1.6 Hacking Team tools (June 2014 and July 2015)
- 1.7 AppBuyer (September 2014)
- 1.8 WireLurker and Masque Attack (November 2014)
- 1.9 Xsser mRAT (December 2014)
- 1.10 XAgent (February 2015)
- 1.11 Lock Saver Free (July 2015)
- 1.12 KeyRaider (August 2015)
- 2 Tools developed as part of research
- 3 Tools for sale to the public
Tools found in the wild
iKee and Duh (November 2009)
The Ikee-virus (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.
Two weeks later, the similar Duh worm spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."
"Find and Call" (July 2012)
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: Kaspersky SecureList, Ars Technica, Sophos NakedSecurity. It is also called FindCall.
FinSpy Mobile (August 2012)
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite includes spyware tools for many mobile operating systems, including iOS.
AdThief/Spad (March and August 2014)
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as explained by Kaspersky Threatpost. Security researchers estimated it had infected 75,000 devices.
Unflod (April 2014)
Unflod is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".
Hacking Team tools (June 2014 and July 2015)
Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.
AppBuyer (September 2014)
AppBuyer, as discussed in this article by Palo Alto Networks, is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.
WireLurker and Masque Attack (November 2014)
As discussed at Misuse of enterprise and developer certificates: according to Palo Alto Networks, WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."
Masque Attacks are a related technique, also discussed by Palo Alto Networks: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."
Xsser mRAT (December 2014)
Xsser mRAT is a piece of malware that targets jailbroken devices. As described by Akamai: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."
XAgent (February 2015)
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in this article by Trend Micro. Also covered by PCWorld.
Lock Saver Free (July 2015)
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. Discussion on Reddit.
KeyRaider (August 2015)
KeyRaider, as discussed in this article by Palo Alto Networks, is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."
Tools developed as part of research
iSAM (June 2011)
iSAM is a malware tool developed by security researchers as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the Star exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.
Instastock (November 2011)
Charlie Miller, a security researcher, submitted an app to the App Store called Instastock to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.
Mactans (July 2013)
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but can insert malware if you plug an iOS device into it. The iOS device does not have to be jailbroken.
Tools for sale to the public
Copy9
Copy9 is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."
iKeyGuard Key Logger
iKeyGuard Key Logger is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."
InnovaSPY
InnovaSPY is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: InnovaMonitor, a monitoring app for use with the spy tool.
mSpy
mSpy is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."
OwnSpy
OwnSpy is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."
Spy App
Spy App is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."
SpyKey
SpyKey is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."
Trapsms
Trapsms was an early spying tool available to the public, described in this post by a security researcher in July 2009. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."