Although an iPhone or iPad terminal with iOS has many protections against unwanted in the AppStore apps, and the system is limited to users unprivileged by default, there are still possibilities and ways to put a malware within a terminal iPhone or iPad to spy on its owner. This is something that is explained in detail in Chapter Malware iOS iOS Hacking Book: iPad & iPhone, but I’ll do a summary of the various possibilities.
. 1 – Terminal Jailbroken iPhone using Cydia: If the user has made Jailbreak there are several ways to install your malware terminal. The first of it would be possible to install the trojan from a repository using Cydia. This would go up to the Cydia app Trojan or other repository and convince the user to install the application with social engineering tricks, such as in a game.
Figure 1: Steps to Install Jailbroken iOS FlexiSpy. Repositories added.
Many repositories Jailbroken apps are not as scrupulous in controls and may upload an app with a Trojan in it. In the official repositories is not as simple, but as we have seen there has been a case of malicious apps doing click fraud in this intro. The FlexiSPY Trojan is downloaded from Cydia.
. 2 – Terminal Jailbroken using Juice Jacking: If the terminal has Jailbreak and have not changed the passwords of default users then you can put the Trojan using OpenSSH or USBMux connection by simply connecting the handset to a computer that is to make the Juice Jacking. A trojan that can be installed for this method is iKeyGuard.
Figure 2: Installation Process iKeyGuard iOS Jailbreak
. 3 – The terminal does not have Jailbreak and has a complex passcode but has a chip A4: The iPhone 4 and the iPad 1 terminals have a bug in Limera1n bootroom allowing Jailbreak can be done at boot without needing to know the passcode. Making Jailbreak is possible to install a Custom Bundle – a packed program running in the terminal – to put OpenSSH or malware with RedSn0w in the terminal once done the Jailbreak. Yes, the terminal stay with Jailbreak and the user might notice, although commercial tracks Trojans hide it. You must have physical access.
Figure 3: Installing a Custom Bundle terminal Jailbreak
. 4 – The terminal does not have Jailbreak, but has an A4 chip and a simple passcode: In that case it is best to break the process of making a passcode Untethered Jailbreak iPhone using DataProtection or Gecko. Once the passcode learned the terminal restarts to lose Untethered Jailbreak and logs him passcode to install a Trojan based on a provisioning profile – temporary deployment file signed by an Apple Developer ID -. This will require physical access to the terminal and have created a custom malware – this is explained in detail in the book Hacking iOS: iPhone & iPad.
Figure 4: Sample FinSpy iOS signed by an Apple Developer ID
This trick is using for iOS FinFisher FinSpy to targeted attacks, and will need to get the terminal but also the UDID to create the provisioning profile.
. 5 – The terminal does not have a Jailbreak and iPhone 4S or iPhone 5, so a Provisioning Profile used: Although a terminal has not done the Jailbreak, if you can convince the user to accept a provisioning profile – or could find out the passcode with a local trick – you can install a Trojan on your computer if this is signed digitally. Therefore, if you have an Apple Developer ID can sign the code and install it on your computer even if not done the Jailbreak.
If you have physical access to the computer and the passcode is known or has access to a computer with which it is paired, then you could easily install the Trojan with the profile provisioning or even use WhatsApp Anti-Delete Protection Tool to monitor the WhatsApp messages deleted.
Similarly, mactans installed by making use of a terminal that connects unlocked without passcode to camouflage equipment that looks like a charger. Automatically generates a provisioning profile for equipment connected and install the app accessing the filesystem.
6 – No Jailbreak without physical access without provisioning profile via App Store. Though it looks like a well put a malware AppStore is very complicated, and there have been cases of malware introduced via AppStore as Find & Call, data theft Storm games-8, or “malicious” behavior of some apps like Twitter for iOS or Path.
Figure 5: Storm 8 games stealing data
Moreover, if we had apps “not malicious” that have been inserted or used Windows malware download malware techniques, in addition to proof of concept InstaStock like Charly Miller. All of them passed all the controls on the AppStore. If you’re able to do it, you should only convince the user that this app was installed.
This is only a summary of the chapter of the Book of Hacking iOS: iPhone & iPad we have written among many security professionals, and I really think it was one of the best books published by us so far.