July 10, 2015

Jailbreaking not a requirement for infecting iPhones with Hacking Team spyware

This week, the security world exploded with the news that Hacking Team, a vendor of Italian spyware — software that captures Skype, message, location, social media, audio, visual, and more data, and is marketed as “stealth” and “untraceable” — was hacked.

One of the major takeaways is that a significant number of governments in the world, Hacking Team’s customers, are actively seeking to compromise iOS and Android devices, likely to access the trove of data stored on or accessed by these mobile devices.

When it comes to iOS, public reports to-date have claimed that the Hacking Team spyware can only infect jailbroken iOS devices. In an effort to educate iOS users about the potential risks, we did some additional research and determined this is not the case.

While Apple does an admirable job protecting users from most malicious software, the fact is that non-jailbroken devices can be infected with Hacking Team’s spyware too.

Up until a couple days ago, when Apple rightfully revoked it, Hacking Team possessed an Apple enterprise certificate, which allows apps signed with that certificate to be installed on any iOS device, jailbroken or not. Hacking Team used this certificate to sign an app, that is actually spyware and hidden in the native Newsstand app, so that it could be distributed to any iOS device. This is despite Hacking Team’s own claims, from a likely outdated pricing sheet included in the dump, that target iOS devices need to be jailbroken.

What’s an enterprise certificate?
Apple created enterprise certificates to allow enterprises to develop and distribute custom apps without requiring Apple’s review and App Store distribution. This is a standard practice among enterprises that create and distribute their own apps to employees. Enterprises are supposed to install these apps only on employee devices, but technically an enterprise certificate can be used to install an app on any iOS device. When this enterprise certificate program is abused, it circumvents the excellent job Apple does in vetting apps for security issues and creates an avenue for the distribution of malicious software.

For its part, Apple created security warnings to inform users before they install apps from outside the App Store. The challenge, however, is that recent research states that people are getting increasingly conditioned to ignore these security warnings.

Here’s what the warning looks like when Hacking Team’s fake Newsstand app is installed on a non-jailbroken iPhone:
pasted image 0

Once a user clicks “trust,” the app is fully functional on the non-jailbroken iPhone.

iPhone users can get apps from outside the App Store?
Yes, people can sideload apps onto non-jailbroken phones. Through apps signed by enterprise or developer certificates, iOS users can get apps installed on their devices that circumvent the fundamental security measures Apple has built into the App Store. Indeed, because the App Store is a relatively secure environment, most of the more recent iOS threats that have affected non-jailbroken devices have infected them by abusing the iOS enterprise distribution method. It’s always paramount that people trust the source of their applications — whether it’s an app store, their IT department or another third-party.

How does Hacking Team get its spyware onto non-jailbroken iPhones?
It appears there are three ways Hacking Team could get its spyware onto iOS devices:

  • An OS X app sideloads an iOS app automatically to a device when it’s plugged in via USB. This also appears to be bundled with a jailbreak exploit that may work on older versions of iOS.
  • There is a Windows desktop app that appears to do the same.
  • By clicking on a link to download from a website, email, etc. on the mobile device

With this specific attack, we believe physical access to the device was required, but Hacking Team’s possession of an enterprise certificate means that there’s the potential for other flavors of this attack that could be delivered via a web browser (drive by download), phishing email or other remote means.

Once on the device, the app installs itself as a newspaper in the native Newsstand app with an invisible icon and a blank app name.

Here, the Newsstand looks empty:

Screen Shot 2015-07-10 at 12.03.35 PM

However, one can see the app is really there in the Newsstand and the General Settings pane, shown below:

Screen Shot 2015-07-10 at 12.04.12 PM

Once installed, the app openly asks for permission to access the data it wants. At that point, it starts tracking the user’s location, calendar and contacts.

Screen Shot 2015-07-10 at 12.04.40 PM

The app asks for permission to access all of this information, so it is likely that the attack vector for this app involves installing it secretly on a target’s device and granting it all the permissions.

It also captures what is typed on the keyboard. The PlugIns folder contains a payload program that adds a new keyboard option to the device, as you see below:

Screen Shot 2015-07-10 at 12.05.15 PM

Again, somebody with physical access to the device would need to configure the keyboard to switch to Hacking Team’s keyboard. However, the keyboard itself looks identical to iOS’s built-in keyboard, so the target would not know they were using a keyboard that is secretly sending their keystrokes to a remote server. Here is a screenshot of the malicious keyboard:

Screen Shot 2015-07-10 at 12.05.53 PM

It’s important to note that Apple does have some safeguards built into its third party keyboard support, which does not allow the keyboard to run in a field that is marked as a password field, so this tool won’t be able to steal passwords from properly implemented apps and websites, but it can be used to steal usernames, contents of emails, and other sensitive data.

Conclusion

There are two very significant takeaways for mobile security out of this week’s buzz about the Hacking Team breach:

  1. We now know that attackers around the world have both the intent to compromise iOS and Android devices and access to the technology to do so.
  2. Specific to iOS, devices do not need to be jailbroken to be compromised. The fact that Hacking Team possessed an enterprise certificate gave it the ability to infect any iOS device. This opens up the pool of potential victims way beyond the roughly 8% of people globally who have jailbroken their devices.

So what can you do about it? First off, don’t freak out. Chances are, you do not have Hacking Team’s surveillanceware on your device. To check for this specific instance of Hacking Team’s surveillanceware you can:

  • Check iOS Settings for any apps with an empty name.

Screen Shot 2015-07-10 at 12.06.17 PM

  • Check iOS Settings -> General -> Keyboard -> Keyboards to make sure that only keyboards you have installed are set up on your device.

Screen Shot 2015-07-10 at 12.06.47 PM

And, here are some general tips for staying safe:

  • Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.
  • Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play.
  • Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.
  • Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware.
5 comments
  1. US security expert says:

    There are public versions that do same like fleximobile (google it), even capture whatsapp and all chats without jailbreak….there are others also…. apple security is a crap

  2. Craig McGrath says:

    Great article. This testing and research needs to be completed to ensure product manufacturers are staying on top of things. It’s too often that companies put profit ahead of security and it’s the customer that gets burnt in the end.

  3. John says:

    This was a great article. Thank you for posting.

  4. Did you look into the C2 protocol used for delivering data from the iOS malware? I’m curious if Hacking Team took any steps to surreptitiously exfil the data…or did they just use JSON or something lame like that?

    Thanks!

  5. I love you help save me.

Leave a comment