2.2 iOS Basic Static Analysis Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

3 hours 58 minutes
Video Transcription
Now let's look at some instances of past iPhone hour. We'll begin by having a look at our timeline, and I just wanted to really point outs of interesting techniques used by our authors to infect iPhones. With Mauer. The 1st 1 will look at is Our Ikey malware in 2009 this mellow would install on jailbroken devices and take advantage of the default root password of
to install malware remotely. Once infected the devices home Springboard image was changed to Rick Astley, so that was pretty interesting. In 2014 the wire lurker malware This abused 1/3 party application website to Trojan Eyes OSX applications.
Once the OS X application was installed,
the Miller would then monitor the USB device connection. Install malware on non jailbroken devices.
In 2015 we have the X Code ghost malware. This made use of a software bug in the X Code application compiler them. Our actor then distributed the Pirated version of X Code to other developers, which they used to submit malicious applications to the APP store.
This was unknowingly to the developers.
This will happen in China, and then, when the user's downloaded the application. They became infected.
In 2016 the A's deceiver malware used the third party desktop application to bypass certain data rights management restrictions. This installed malicious abs on non jailbroken devices and intercepted apple ideas and log in information.
So there you are. There's a few instances of malware in the past that have been targeting IOS devices. Now remember, IOS Malware only makes up about 1% of the total malware infections.
But you know, as new techniques are invented by, um, our authors every day, it's a possibility that this number could increase.
Now, how are these devices getting infected? Well, IOS attack vectors are similar to the ones with furiously mentioned. But because IOS devices have a pretty good security model, in my opinion, Mauer authors need to come up with some pretty inventive ways to attack devices.
Usually, these techniques are implemented using a bit of social engineering, as the Mauer might require a user to install an app from 1/3 party Web site or something similar. The most traditional attack vectors make use of software vulnerabilities to perform malicious activities like the jailbreak in the A P I abuse. But what about the APP store,
you may ask yourself, Well, how are these ABS are making their way into the APP store? It's crazy.
Well, there's a couple of ways that this may be happening. The first could be that the Mau authors downloaded these APS. They're unpacking them, inserting their malicious code into them and then re packing them and submitting them using the same name. The code in it just may be so subtle enough that it's getting past the code reviews.
Also, it could be that the APP is that repacked, and it just has a connection that's gonna download something additional. In the case of enterprise certificates, enterprise certificates are used by companies that wish to distribute applications to large corporations or a lot of users. But to get one of these, that only does it cost about $300.
But it also takes a phone call of Apple. They're trying to vet the companies.
In some malicious instances, we've seen malicious authors who by the Certs they distribute their Mauer and then seemingly just go out of business.
One of the first questions we should ask ourselves is why we looking at this malware, really, this is the first stage of arm our analysis. It's our initial analysis. If we know some of the details on how we got the Mauer, then it might help us during our basic analysis or even throughout the entire analysis process.
Unfortunately, though, sometimes we have to go in blind, right?
We may not know anything about them. Our this could be hiccough thing, or it could be a bad thing. But sometimes a lack of information could be just as important as what we have already attained. All the steps we take, however, typically accomplish the same thing. We want to try to uncover static artifacts like U R L. C two's names of libraries, file pats,
et cetera, to create some type of hypotheses that we can test out later. But again, remember, the path you take will really be determined heavily on your analysis schools.
Up Next
Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By