Chinese hackers put iOS in the crosshairs with novel attack angles

05.10.2015
For almost a year, Chinese hackers have leveraged a novel one-two punch to compromise iOS devices, including non-jailbroken iPhones, then seed them with adware, a security company said today.

The malware, dubbed "YiSpecter," was written in China by Chinese hackers, and what screen text was displayed was in Chinese, said Ryan Olson, director of the Unit 42 threat intelligence unit at Santa Clara, Calif.-based Palo Alto Networks, in an interview. The malware was distributed almost exclusively in the People's Republic of China (PRC) and Taiwan.

Palo Alto's Claud Xiao was the prime researcher behind the discovery of YiSpecter's capabilities. Xiao has been on a roll of late: He was also a driver behind the analysis of XcodeGhost, another adware campaign that used a different-but-just-as-unusual infection vector.

YiSpecter demonstrated what security experts had only posed in theory: iOS was open to attacks that not only circumvented Apple's vetting of apps, but could use undocumented and Apple-only APIs (application programming interfaces) to hide on an iPhone, masquerade as trusted apps, and hijack Safari and other apps to display unauthorized ads.

By combining a pair of attack vectors -- one that has been abused before, the other a first for iOS -- the hackers duped iPhone and iPad owners into installing malicious code, said Olson.

The malware exploited Apple's enterprise app distribution process, which was designed so that businesses could craft their own iOS apps, then dispense them to workers without having to go through Apple's approval process and stocking them on the public App Store.

Instead, enterprises are allowed to sign their apps with digital certificates that verify their identity -- the specific company, for instance -- which the device checks before allowing installation. Apple issues those certificates.

Criminals have been using the enterprise distribution end-around for more than a year with purloined or falsely obtained certificates, said Olson, notably in 2014's Wirelurker, which targeted both iOS and OS X devices.

What's unique about YiSpecter, said Olson, was that it paired the enterprise certificate tactic with one previously discussed only by academics.

The hackers abused what's called "private APIs" to add functionality to their malware.

Private APIs are those Apple keeps close to its vest. "They're inside iOS, but used only by Apple for its [own] apps, or APIs that are not ready for public use, or are actually called by a public API," explained Olson. In the latter case, the private API does the "heavy lifting," he added. "That prevents people from using the [private API]."

Private APIs are discoverable through a variety of techniques, and often don't stay secret for long -- particularly those that Apple has added to the iOS framework but hasn't yet released for public developer use.

The YiSpecter hackers exploited a number of private APIs to gain functionality inaccessible to standard iOS apps, including hiding their apps from Springboard, iOS's home page, so that they're virtually impossible to find and delete, and hijacking the logos and names of iOS system apps.

Apple scans submitted apps for private API use; when it detects them, it rejects the app. Apps that use private APIs and make it through vetting -- and onto the App Store -- can be bounced out and rendered useless on all iOS devices.

But because YiSpecter didn't shill its malware-infected apps through the official App Store -- using instead the enterprise certificate-and-distribution channel -- Apple played no part in the process. But users, faced only with a pop-up that asked them to click to continue downloading and installing such an app, typically breezed by the warning.

Result: Infected iOS devices, including those that had not been jailbroken, historically the route to most iOS infections, especially in the PRC and elsewhere in Asia.

There was little likelihood that the apps were downloaded outside the PRC and Taiwan, or by non-Chinese speakers, Olson said.

Still, it was a warning to Apple that its app vetting process and the enterprise distribution practice are under fire.

On the latter -- largely because of Wirelurker and other such attacks that exploited enterprise app delivery -- Apple made changes in iOS 9, the upgrade released last month, that makes those attacks more problematic.

In iOS 9, users must delve into the operating system's Settings app and make several explicit selections to allow apps to install outside the App Store.

"The change they made is going to be pretty effective [in stymying attacks]," said Olson. "Users must dig into Settings, and just because of all the steps, it will force users to think and work hard to enable it. Kudos to Apple."

The private API vector, however, will be more difficult to divert.

"Their vetting is not 100% perfect," Olson observed, pointing to a paper (download PDF) set for presentation next week by a team of Purdue University researchers. In the paper, the researchers examined more than 2,000 iOS apps in the App Store and found that nearly 150 -- or about 7% -- used private APIs. Yet they had made it through Apple's review process.

"Contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store," the four Purdue researchers -- Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang and Dongyan Xu -- wrote in the paper they will present at the ACM Conference on Computer and Communications Security in Denver.

Olson said it would be hard for Apple to sniff out all private API use, in part because of how Objective C, the primary programming language used to create iOS and OS X apps, operates. Because of that difficulty, Olson worried that malware abusing private APIs demonstrated to such effect by YiSpecter, would proliferate.

"For a long time, Apple's 'walled garden' worked extremely well," Olson said. "But iOS devices are valuable, their users are valuable, so there are lots of eyeballs on it. No one ever expected [attackers] to roll over and give up. People just want to keep going for it."

While Olson was far from predicting the end of the world as we know it, others were even more sanguine.

"This does not signal the collapse of Apple's iOS security model," Trey Ford, global security strategist at Rapid7, argued in a Monday email. "Attackers know that focusing on edge cases, specifically exceptions like the 'in-house distribution' workflow using enterprise certificates, provide the most likely path to deployment."

Ford is more confident than Olson -- or the Purdue quartet -- that private APIs pose little threat if users stick to the basic rules of not straying outside the App Store and not jailbreaking a device.

Olson wasn't so sure, and talked about the focus of Chinese security experts, both white hats and black hats, on iOS. "Part of it is that there is just a tremendous amount of research into iOS in China," he said. "There are more jailbroken iPhones there, even now, than elsewhere, and Chinese researchers are more used to writing malware for iOS.

"It's a very interesting research community," Olson added. "This is not the end [of iOS exploitation attempts]. We should expect them to keep trying to implement these kinds of techniques."

More information about YiSpecter can be found in Xiao's analysis on Palo Alto Networks' website.

(www.computerworld.com)

Gregg Keizer