New malware for iOS can infect devices without jailbreak
We want to warn our users about a new malware for iOS, called WireLurker, and is detected by ESET AV products as iOS / WireLurker.A . The Palo Alto Networks company was the first to report this malware and the mechanisms for its distribution. The main vector of iDevice infection is compromised computers running OS X. In turn, OS X is compromised through malicious applications that were placed in a third-party OS X application store called “Maiyadi App Store”. These components of OS X malware are detected by us as OSX / WireLurker.A .
An iOS infection occurs when a device is connected via a USB interface to a compromised computer running OS X. To do this, the malware uses the special library libimobiledevice , which provides the ability to work remotely from iOS via USB. It should be noted that to launch a malware module that installs the libimobiledevice service into the system, it must receive maximum root rights, which is excluded if the user uses the standard OS X security system. Neither OSX / WireLurker.A nor iOS / WireLurker.A any exploits to get root rights in iOS and OS X.
')
The key feature of OSX / WireLurker.A is the ability to infect iOS without jailbreak. Using the aforementioned library and mechanism known as “enterprise provisioning”, it installs applications into the system in IPA format. In this format for iOS, applications are delivered that can be installed into the system bypassing the App Store. But for this, it must be signed with a digital certificate issued by Apple, which was done by the attackers (but even in such a scenario, the user must confirm the installation of the program in iOS). At the moment, the certificate has already been revoked by the company.
Apple
Fig. Information about a revoked digital certificate (\ Payload \ PPAppInstall_qudaobao.app \ embedded.mobileprovision).
Fig. Part of the embedded.mobileprovision file used to create the profile of enterprise provisioning in iOS.
If jailbreak is present in the system, OSX / WireLurker.A installs the malicious sfbase.dylib library ( iOS / WireLurker.A ) into the iOS file system. The iOS file system is accessed using the AFC2 service, which operates on a device with a jailbreak and has root rights in the system, which allows it to directly access the file system.
We recommend not using third-party OS X app stores that do not have a security check for hosted apps, and also not to use jailbreak in iOS, as it discredits the security system of the entire device and allows full access to the file system, bypassing iOS security mechanisms.
be secure.
An iOS infection occurs when a device is connected via a USB interface to a compromised computer running OS X. To do this, the malware uses the special library libimobiledevice , which provides the ability to work remotely from iOS via USB. It should be noted that to launch a malware module that installs the libimobiledevice service into the system, it must receive maximum root rights, which is excluded if the user uses the standard OS X security system. Neither OSX / WireLurker.A nor iOS / WireLurker.A any exploits to get root rights in iOS and OS X.
')
The key feature of OSX / WireLurker.A is the ability to infect iOS without jailbreak. Using the aforementioned library and mechanism known as “enterprise provisioning”, it installs applications into the system in IPA format. In this format for iOS, applications are delivered that can be installed into the system bypassing the App Store. But for this, it must be signed with a digital certificate issued by Apple, which was done by the attackers (but even in such a scenario, the user must confirm the installation of the program in iOS). At the moment, the certificate has already been revoked by the company.
He has been apprehending the launching . As always, we recommend
Apple
Fig. Information about a revoked digital certificate (\ Payload \ PPAppInstall_qudaobao.app \ embedded.mobileprovision).
Fig. Part of the embedded.mobileprovision file used to create the profile of enterprise provisioning in iOS.
If jailbreak is present in the system, OSX / WireLurker.A installs the malicious sfbase.dylib library ( iOS / WireLurker.A ) into the iOS file system. The iOS file system is accessed using the AFC2 service, which operates on a device with a jailbreak and has root rights in the system, which allows it to directly access the file system.
We recommend not using third-party OS X app stores that do not have a security check for hosted apps, and also not to use jailbreak in iOS, as it discredits the security system of the entire device and allows full access to the file system, bypassing iOS security mechanisms.
be secure.
Source: https://habr.com/ru/post/242581/
All Articles