Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille -...
Transcript of Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille -...
![Page 1: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/1.jpg)
Pawn Storm: Malware on iOS devices?
Axelle Apvrille - FortiGuard Labs, Fortinet
Insomni’hack, GenevaMarch 2015
![Page 2: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/2.jpg)
Who am I?
I Security Researcher at Fortinet, FortiGuard Labs
I Focus: (strange) malware not on desktops/laptops
I E.g mobile malware, Internet of Things...
I Twitter: @cryptax
Insomni’Hack 2015 - A. Apvrille 2/32
![Page 3: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/3.jpg)
Frequently Asked Questions
Are there malware on iOS?
Answer: Yesbut not many
Insomni’Hack 2015 - A. Apvrille 3/32
![Page 4: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/4.jpg)
Frequently Asked Questions
Are there malware on iOS?
Answer: Yesbut not many
Insomni’Hack 2015 - A. Apvrille 3/32
![Page 5: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/5.jpg)
Frequently Asked Questions
They’re all for jailbroken phones, aren’t they?
No - but very rareiOS/FindCall (2012)Found (and removed) in Apple Store
I Spams all your contacts
I Sends your (email/skype/...)passwords and location in cleartext
Insomni’Hack 2015 - A. Apvrille 4/32
![Page 6: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/6.jpg)
Frequently Asked Questions
They’re all for jailbroken phones, aren’t they?
No - but very rareiOS/FindCall (2012)Found (and removed) in Apple Store
I Spams all your contacts
I Sends your (email/skype/...)passwords and location in cleartext
Insomni’Hack 2015 - A. Apvrille 4/32
![Page 7: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/7.jpg)
Other samples for non jailbroken iPhones
Adware/LBTM!iPhoneOS (2010)iPhoneOS/Toires.A!tr.spyNicolas Seriot, CH - 2009 - PoC
Insomni’Hack 2015 - A. Apvrille 5/32
![Page 8: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/8.jpg)
PoC Jekyll malicious app on non jailbroken iPhones
Credits: Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee -Georgia Tech
”Jekyll on iOS: When Benign Apps Become Evil”,USENIX Security 2013
Insomni’Hack 2015 - A. Apvrille 6/32
![Page 9: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/9.jpg)
Does PawnStorm run on non jailbroken iPhones?
Yes and No ;)I Version A: will work, but with
limits.
I Version B: requires jailbreak.
Insomni’Hack 2015 - A. Apvrille 7/32
![Page 10: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/10.jpg)
What’s Pawn Storm?
The Operation
I Cyber espionage operation
I Discovered by Trend Micro in October 2014
I Targets military officials, government, defense industries
iOS malwareI Feb 4, 2015: Trend Micro discovers two iOS samples
I Version A: XAgent - hidden trojan spyware
I Version B: madcap.dylib - malicious Cydia Substrateextension
Insomni’Hack 2015 - A. Apvrille 8/32
![Page 11: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/11.jpg)
What happens when iOS/PawnStorm.A!tr is launched?
Credits: Ole Begemann
XAppDelegate
XAViewController
Insomni’Hack 2015 - A. Apvrille 9/32
![Page 12: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/12.jpg)
What happens when iOS/PawnStorm.A!tr is launched?
Credits: Ole Begemann
XAppDelegate
XAViewController
Insomni’Hack 2015 - A. Apvrille 9/32
![Page 13: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/13.jpg)
What happens when iOS/PawnStorm.A!tr is launched?
Credits: Ole Begemann
XAppDelegate
XAViewController
Insomni’Hack 2015 - A. Apvrille 9/32
![Page 14: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/14.jpg)
didFinishLaunchingWithOptions: Background Fetching
Insomni’Hack 2015 - A. Apvrille 10/32
![Page 15: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/15.jpg)
Background Fetching and Multi-Tasking
Background Fetching in Info.plist
<key>UIBackgroundModes</key>
<array>
<string>fetch</string>
Multi-tasking
I applicationWillResignActive
I applicationDidEnterBackground
I applicationDidEnterForeground
I applicationDidBecomeActive
I ...
Insomni’Hack 2015 - A. Apvrille 11/32
![Page 16: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/16.jpg)
viewDidLoad in XAViewController
Next method called viewDidLoad:
1. Instantiate XA HTTP Chanel: calls getAgentID. Retrievesa UUID.NSUUID *vendorIdentifier = [[UIDevice currentDevice]
identifierForVendor];
uuid_t uuid;
[vendorIdentifier getUUIDBytes:uuid];
2. Creates a thread : modulesThread_thread = [[NSThread alloc] initWithTarget:self
selector:@selector(modulesThread:) object:nil];
modulesThread calls cycleLoop of XAInfoIphone
Insomni’Hack 2015 - A. Apvrille 12/32
![Page 17: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/17.jpg)
CycleLoop
It’s a big switch
0 Get Info Device1 Start Record2 Get Audio File3 Get Contact List4 Current Location5 Get Installed Apps6 Wifi Status7 Get All Pictures From Lib.8 List a given directory9 Get a given file
10 Get process list11 Get SMS
Insomni’Hack 2015 - A. Apvrille 13/32
![Page 18: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/18.jpg)
Example: Get All Pictures from Photo Library
Insomni’Hack 2015 - A. Apvrille 14/32
![Page 19: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/19.jpg)
Getting Pictures from the Photo Library
From disassembly
alasset_obj = &OBJC_CLASS___ALAssetsLibrary;
...
v18 = (void*alassetslib->library;
...
objc_msgSend(v18,
"enumerateGroupsWithTypes:usingBlock:failureBlock:" ...);
User authorization is not requested
if ([ALAssetsLibrary authorizationStatus])
{
//Library Access code goes here
}
nowhere to be seen in the malware’s code
Insomni’Hack 2015 - A. Apvrille 15/32
![Page 20: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/20.jpg)
Get GPS coordinates
Since iOS 8, an additional requestAlwaysAuthorization mustbe requested
Insomni’Hack 2015 - A. Apvrille 16/32
![Page 21: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/21.jpg)
Get SMS messages
Insomni’Hack 2015 - A. Apvrille 17/32
![Page 22: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/22.jpg)
Get Installed Applications
To get outside the sandbox → jailbreak
Insomni’Hack 2015 - A. Apvrille 18/32
![Page 23: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/23.jpg)
Get Installed Applications - Objective C version
Pseudo Objective C code
static NSString *const cacheFileName =
@"com.apple.mobile.installation.plist";
NSString *relativeCachePath = [[@"Library"
stringByAppendingPathComponent:
@"Caches"] stringByAppendingPathComponent:
cacheFileName];
path = [[NSHomeDirectory() stringByAppendingPathComponent:
@"../.."] stringByAppendingPathComponent:
relativeCachePath];
Insomni’Hack 2015 - A. Apvrille 19/32
![Page 24: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/24.jpg)
List Directory
nsfileman_obj = &OBJC_CLASS___NSFileManager;
defaultMan = "defaultManager";
v105 = objc_msgSend(nsfileman_obj, defaultman);
...
v104 = objc_msgSend((void*)v202,
"contentsOfDirectoryAtPath:error",
path,
&error);
...
v84 = objc_msgSend(&OBJC_CLASS___NSString,
"stringWithFormat:",
CFSTR("<table><caption color=blue> Directory:
%@ </caption>"),
path);
Sandboxing limits to /private/var/mobile/Applications/THEAPP
Insomni’Hack 2015 - A. Apvrille 20/32
![Page 25: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/25.jpg)
Get Device Info
Pseudo decompiled code in XAInfoIphone getInfoDevice
telephony_obj = objc_msgSend(
&OBJC_CLASS___CTTelephonyNetworkInfo,
"alloc");
v1223 = objc_msgSend(telephony_obj, "init");
...
subscriberProvider = "subscriberCellularProvider";
...
v1449 = objc_msgSend(v1153, subscriberProvider);
...
v1448 = objc_msgSend((void*)v9, "mobileNetworkCode");
...
v1447 = objc_msgSend(v12, "mobileCountryCode");
Insomni’Hack 2015 - A. Apvrille 21/32
![Page 26: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/26.jpg)
Get Phone Number
Later in XAInfoIphone getInfoDevice
Phone number is read from /pri-vate/var/wireless/Library/Preferences/com.apple.commcenter.plistOut of sandbox → Requires jailbreakGet the ”PhoneNumber” key
Insomni’Hack 2015 - A. Apvrille 22/32
![Page 27: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/27.jpg)
Hiding the icon
The application icon does not appear on the home screen:<key>SBAppTags</key>
<array>
<string>hidden</string>
</array>
LimitationsI Known not to work on iOS 8
I Hidden tag is easy to detect → Apple bans it from Apple Store
Insomni’Hack 2015 - A. Apvrille 23/32
![Page 28: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/28.jpg)
Features of XAgent that require jailbreak
Requires jailbreak
I Read SMS database
I Read com.apple.commcenter.plist for phone number
I Hiding icon
Limited without jailbreak
I List content of directory
I Retrieve file
Insomni’Hack 2015 - A. Apvrille 24/32
![Page 29: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/29.jpg)
Features of XAgent that require user authorization
Malware does not ask these authorizations
Will not work (unless granted from elsewhere)?
I Get Photos from library. Should requestrequestRecordPermission
I Geolocation. Authorization needed for iOS 8.
I Record voice. Should request requestRecordPermission
Malware asks for these authorizations
Read lists of contacts. Code requires authorization viaABAddressBookRequestAccessWithCompletion
Insomni’Hack 2015 - A. Apvrille 25/32
![Page 30: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/30.jpg)
Features of XAgent which should work fine
I Get model, name, systemName, systemVersion,localizedModel via UIDevice
I Test for existence of jailbreak via /private/var/lib/apt
I List running process via call to Unix command sysctl
I WifiStatus via calls to Reachability API
I Background fetching of C&C URLs
I Take screenshots??? (not called)
Insomni’Hack 2015 - A. Apvrille 26/32
![Page 31: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/31.jpg)
Communication with C&C
C&CHTTP GET
commands
HTTP POSTUpload info
iPhone infected With Pawn Storm
hxxp://198.27XXXXXX/watch/?ai=<BASE 64 of RC4 data>
close/?search/?find/?...
text=from=utm=
50 bytes key
Insomni’Hack 2015 - A. Apvrille 27/32
![Page 32: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/32.jpg)
Who wrote Pawn Storm?
IndicationsI BuildMachineOSBuild 13E28: 10 possibilities: iMac,
MacBook Pro, MacBook Air...
I /Users/mac/Desktop/work/IOS PROJECT
I XAgent-azeuhvvhelifolbyqbjqwuwimdho?
I DTXcodeBuild 5B1008: Xcode 5.1.1
I Implementation. Intended for jailbroken iOS 7.x?
I Many typos: XA HTTP Chanel, runningProcecces,generateUrlParametrs
I Grammar: ”Host not exist”...Insomni’Hack 2015 - A. Apvrille 28/32
![Page 33: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/33.jpg)
Am I safe from iOS/PawnStorm?
YES ... probably!
def safeFromPawnStormA():
if (military official or defense contractor): #etc
if (iOS >= 8):
print "Do you have an XAgent icon?"
elif (iOS >= 7.1):
if (jailbroken iPhone):
print "Check your iPhone"
else: # only parts of XAgent can work
print "Probably safe, check to be sure"
else:
print "Probably ok"
else:
print "You’re not targeted, so probably safe"
Insomni’Hack 2015 - A. Apvrille 29/32
![Page 34: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/34.jpg)
PawnStorm: so, what’s all this fuss? (and FUD?)
It’s a TARGETED malware!
Not for the masses
Its importance depends ... on the target!
Quoting myself from Fortinet’s blog
”it is unlikely you’ll be affected because the malwareprobably wasn’t distributed massively, but only totargeted victims””it is very unlikely the malware could have been on theApple Store ”
Not my fault if anything concerning iOS gets more attention in the press, is it? ;P
Insomni’Hack 2015 - A. Apvrille 30/32
![Page 35: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/35.jpg)
PawnStorm: so, what’s all this fuss? (and FUD?)
It’s a TARGETED malware!
Not for the masses
Its importance depends ... on the target!
Quoting myself from Fortinet’s blog
”it is unlikely you’ll be affected because the malwareprobably wasn’t distributed massively, but only totargeted victims””it is very unlikely the malware could have been on theApple Store ”
Not my fault if anything concerning iOS gets more attention in the press, is it? ;P
Insomni’Hack 2015 - A. Apvrille 30/32
![Page 36: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/36.jpg)
Quick recap
Am I infected with Pawn Storm?
Probably notWas Pawn Storm on the Apple Store? No
What version is it for?
iOS 7.1 and +
Does it run on non jailbroken iPhones? Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 37: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/37.jpg)
Quick recap
Am I infected with Pawn Storm? Probably not
Was Pawn Storm on the Apple Store? NoWhat version is it for?
iOS 7.1 and +
Does it run on non jailbroken iPhones? Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 38: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/38.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store?
NoWhat version is it for?
iOS 7.1 and +
Does it run on non jailbroken iPhones? Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 39: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/39.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for?
iOS 7.1 and +
Does it run on non jailbroken iPhones? Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 40: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/40.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for?
iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 41: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/41.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +
Does it run on non jailbroken iPhones? Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 42: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/42.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones?
Yes butwith limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 43: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/43.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits
... And on jailbroken iPhones? Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 44: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/44.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones?
Yes !!!Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 45: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/45.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 46: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/46.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it?
On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 47: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/47.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficult
Who coded it? We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 48: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/48.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it?
We don’t knowIs iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 49: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/49.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 50: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/50.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware?
No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 51: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/51.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!
Is Android less safe than iOS? Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 52: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/52.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS?
Perhaps. Difficultquestion
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 53: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/53.jpg)
Quick recap
Am I infected with Pawn Storm? Probably notWas Pawn Storm on the Apple Store? No
What version is it for? iOS 7.1 and +Does it run on non jailbroken iPhones? Yes but
with limits... And on jailbroken iPhones? Yes !!!
Can I spot it? On iOS 8, yes, otherwise difficultWho coded it? We don’t know
Is iOS safe from malware? No !!!Is Android less safe than iOS? Perhaps. Difficult
question
Insomni’Hack 2015 - A. Apvrille 31/32
![Page 54: Pawn Storm: Malware on iOS devices? · Pawn Storm: Malware on iOS devices? Axelle Apvrille - FortiGuard Labs, Fortinet Insomni’hack, Geneva March 2015](https://reader031.fdocuments.us/reader031/viewer/2022021819/5ad846ad7f8b9a865b8d325e/html5/thumbnails/54.jpg)
Thank You !
Contact info
@cryptax or aapvrille (at) fortinet (dot) com
References and interesting links
I Blog post from Trend Micro
I Blog post on Fortinet
I Wang et al, Jekyll on iOS, USENIX Security 2013
I C. Livitt, Rethinking & Repackaging iOS Apps: Part 1, Feb2015
I Zheng et al, Enpublic Apps: Security Threats Using iOSEnterprise and Developer Certificates, ASIA CCS 2015
Thanks to : Claud Xiao, Ruchna Nigam, Nicolas Seriot, TrendMicro
PowerPoint? No way! This is Lobster
Insomni’Hack 2015 - A. Apvrille 32/32