all right with the first module in our rear view in manual to were completely focused on malware will start here with a little refresher on malware in some theory and processes mixed in. And then we'll dive into you. Analysis of by Aries for IOS and Android.
Now, before we begin, I should say to this point, we haven't needed any specific hardware to analyze these
Mauer samples or these samples. But that's gonna change now to really have a look at IOS binaries relaying a Mac or jailbroken device. But if there's any points at which you can use the Lennox or any other platform, I'll be sure to let you know. So let's begin.
Let's begin module to with a quick malware refresher. So what is malware while? In other instance, malware is any type of software used to disrupt or gain unauthorized access to a mobile device? Mobile device, of course, isn't born here.
Mauer comes in many forms and in our case will want to focus on the ones that specifically target these mobile devices
like Ransomware banking, trojans SMS type malware, another click fraud type spyware in adware. So one of these pieces of malware do well. Traditionally, you may want to think of malware as a virus or a worm, but with normal, um, our. We have different applications with windows and pop ups that deliver adware and spyware.
We have banking malware, which attempts to steal your credentials or financial
Web site information. We've got ransomware that the vans payments after a device has become encrypted and we even have SMS malware that will intercept in or send messages to others without your knowledge.
Three vectors come in a variety of ways, such as fishing and Malvo ties ing. And now our authors air coming up with new ones every day. But the most common way, Mel, where gets on our device is by user interaction.
A good example of this was in our jail breaking demonstration from earlier. If you think about it, it was within a few clicks. I was verifying that I wanted 1/3 party code arriving in my device and within seconds Well, okay, minutes. The jailbreak work. The second time, my device was jail broken and I could install lots of different duties.
Which brings me to one last point, usually with jail breaking were able to side load APS, meaning I can download in,
then install him with my computer. If I get this app from 1/3 party repositories in the code hasn't been inspected by Google or Apple. We run the risk of being infected. But sometimes, really, that isn't safe either. As well. See, the vendors at stores really aren't perfect either.
This process is even simpler with Android. With Android, we don't even need to route the phone to side load applications.
To be able to analyze Mauer, we need to ask the question. Well, what is Mao analysis? And trust me, I get this question a lot. And actually, depending on who you ask, you might even get a different answer.
But malware analysis is the act of analyzing and piece of software determine its functionality and its origins.
For me, I like to try and look at the psychology of Mao analysis. Honestly, when I look at malware, I tried to understand not only the functionality but why the Mauer author implemented certain feature a certain way. People calm our analysis of science, and some say it's an art form for me. I think it's a bit of both right
when I'm analyzing my word. Yes, I like to take a structured approach by testing a hypothesis
and observing results, but I may also need to think creatively adapt my individual steps to overcome a certain analytical challenge.
Really, My analysis process takes two forms. Mao analysis or reverse engineering or a mixture of both. While both achieve similar results when reverse engineering, we typical look at the code of an application and rely more on advanced static analysis techniques.
The type of analysis is typically dictated by you in your analysis objectives
before you start them. Our analysis process. You should typically take at least a few minutes mentally to decide what your goals of the analysis are.
Are you looking to have just an overview of the basic functionality? The malware so you can clean it off a corporate device and then blocked the malicious domain contacts, for instance.
Or maybe you'll be writing a technical report for your management team, and you need to give an in depth code analysis or find green technical detailed report. Maybe you've just come up with a new mobile. Now we're installation technique, and you want to block about it
whatever your goal, Maybe in whichever analysis path you choose, I would recommend you follow some basic guidelines, and I've listed some here first and foremost make sure you handle Mauer safely. The last thing you want to do is, in fact, your everyday environment or worse, someone else's.
Ah, popular method to handle files properly among analysts is too
zipping. Encrypt the malware with a password of infected. You may also want to change the file name to the hash to make it simpler for verification. Also, you should try to verify the hash and to make sure the file you're working on is actually the one you should be working on.
Next is don't forget to execute your malware in a safe environment. This can be done in a corporate sandbox for malware by using an online sandbox. Or maybe you're going to be building a lab yourself like we will later. While you perform our analysis, make sure you record your findings and write them down when they happen.
Trust me sometimes is Alice. You can fall down the rabbit hole, and when it happens, you want to make sure you know how you got there.
Lastly, be humble, make some mistakes as some questions and get some help when you need.
Now let's look at some instances of past IPHONE hour. We'll begin by having a look at our timeline, and I just wanted to really point outs of interesting techniques used by now our authors to infect iPhones with our the 1st 1 will look at is our ikey malware. In 2009 this mellow would install on jailbroken devices and take advantage of the default root password of
to install malware remotely. Once infected the devices home Springboard image was changed to Rick Astley, so that was pretty interesting. In 2014 the wire lurker malware This abused 1/3 party application website to Trojan Eyes OSX applications.
Once the OS X application was installed,
the Miller would then monitor the USB device connection. Install malware on non jailbroken devices.
In 2015 we have the X Code ghost malware. This made use of a software bug in the X Code application compiler them. Our actor then distributed the Pirated version of X code to other developers, which they use to submit malicious applications to the APP store.
This was unknowingly to the developers.
This will happen in China. And then, when the user's downloaded the application, they became infected.
In 2016 the A's deceiver malware used the third party desktop application to bypass certain data rights management restrictions. This installed malicious abs on non jailbroken devices and intercepted apple ideas and log in information.
So there you are. There's a few instances of malware in the past that have been targeting IOS devices that remember IOS. Malware only makes up about 1% of the total malware infections,
But you know, as new techniques are invented by, um, our authors every day, it's a possibility that this number could increase.
Now, how are these devices getting infected? Well, IOS attack vectors are similar to the ones with furiously mentioned. But because IOS devices have a pretty good security model, in my opinion, Mauer authors need to come up with some pretty inventive ways to attack devices. Usually, these techniques are implemented using a bit of social engineering,
as the Mauer might require a user to install it AP from 1/3 party Web site or something similar.
The most traditional attack vectors make use of software vulnerabilities to perform malicious activities like the jailbreak in the A P I abuse. But what about the APP store? You may ask yourself, Well, how are these APS making their way into the APP store? It's crazy. Well, there's a couple of ways that this may be happening. The first could be that the Mau authors downloaded these APS.
They're unpacking them, inserting their malicious code into them and then re packing them
and submitting them using the same name. The code in it just may be so subtle enough that it's getting past the code reviews. Also, it could be that the APP is that repacked, and it just has a connection that's gonna download something additional. In the case of enterprise certificates,
enterprise certificates are used by companies that wish to distribute applications to large corporations
or a lot of users. But to get one of these, that only does it cost about $300. But it also takes a phone call of Apple. They're trying to vet the companies.
In some malicious instances, we've seen malicious authors who by the Certs, they distribute their Mauer and then seemingly just go out of business.
One of the first questions we should ask ourselves is, Why are we looking at this malware? Really? This is the first stage of arm our analysis. It's our initial analysis.
If we know some of the details on how we got the Mauer, then it might help us during our basic analysis or even throughout the entire analysis process. Unfortunately, though, sometimes we have to go in blind, right? We may not know anything about them. Our this could be Hickel thing, or it could be a bad thing.
But sometimes a lack of information could be just as important as what we have already attained.
All the steps we take, however, typically accomplish the same thing. We want to try to uncover static artifacts like U R L. C two's names of libraries, file pats, et cetera, to create some type of hypotheses that we can test out later. But again, remember, the path you take will really be determined heavily on your analysis schools