Cheetah Mobile Security Center · 2015/07/16 14:21

0 x00 profile


HackingTeam, a surveillance software developer based in Italy, was recently hacked and 415GB files were leaked, The data leaked by HackingTeam involves at least multiple remote code execution and entitlement exploits for Android versions below 4.4, multiple full exploits for browser sandbox escape exploits for Java and Word, and MacOS Malware code for X, iOS, Android, WP8, etc. There are Flash 0day, Windows font 0day, iOS Enterprise Backdoor app, Android Selinux exploit, WP8 Trojan, and more seriously, Hacking Team’s ultimate remote control system, RCS, is able to infect almost any platform or medium, including the cloud, enabling a full-platform RSC system (including Windows Phone).

In the leaked files from HackingTeam, we found code that monitors IOS, requesting access to some data and tracking the user’s location, calendar and contacts once the user clicks run. In this process, the phone does not need to be jailbroken to achieve.

0x01 Monitoring Behavior Analysis


The relevant code is in the folder \core-ios-master.zip\core-ios-master\ios-newsstand-app\newsstand-app. After looking through all the source code, we found that the monitoring is mainly achieved by installing a newspaper and magazine app on the target device. After the app is installed, it appears as a blank app with no icon. The starting code file is as follows:

Check the app’s info file info.plist, which tells you that the app is a NewsstandApp and specifies the app’s display style and icon. Some of the information is as follows:

The Main function directly calls the AppDelegate class module to launch the application.

The Main function of the AppDelegate module is to distribute tasks and refresh the background. Including background access rights, constantly refresh access to user calendar, contacts and photos, keyboard tasks, etc.

At the same time, the module calls the interface ViewController to create a gMainView of type nil, which the ViewController will call when the view needs to be displayed and it is nil

The main function of obtaining user information is realized in this method, and its function module is ViewConroll. m. After the application is loaded, it starts to obtain calendar, contacts, GPS location information and user photos. The startup code is shown below:

All the obtained information will be sent to the remote server through the RCS system, whose RCS module starts with RCS, and adopts a series of encryption methods in the transmission process. The encryption module mainly starts with NS and follows its encryption method from the beginning, and the rest are keyboard implementation module and network transmission module, as shown below:

0x02 Measured behavior


Compile the program and run it on your phone. After installation, the hidden application of newspapers and magazines will be created, which can be displayed by long pressing the application. It can also be seen in the list of Settings, as shown in the picture below:

After clicking the application, all monitoring services will start. Jailbroken users will start without any prompt, while non-jailbroken users need to add trust, as shown in the picture below:

But the hacking team had corporate credentials, which allowed it to guide users undetected through a web link.

Once the service is started, the application requests all the data it wants, as shown below:

The app also adds a new keyboard that has the same interface as the native IOS keyboard, so that the targeted user sends all their input to a remote server without realizing it. The keyboard is as follows:

It’s important to note that Apple has taken some precautions against third-party keyboards. It doesn’t allow third-party keyboards to run in password-marked areas, so the tool can’t steal a user’s input password from apps and websites, but it can steal usernames, emails and other sensitive information.

0x03 Route of Infection


Apple has done a lot of work to protect non-jailbroken users from malware, and it has been publicly reported that surveillance software can only infect jailbroken IOS devices, so it seems that non-jailbroken users are safe.

Hacking Team has apple’s enterprise certificates, which the company distributes to companies and allows them to publish their apps directly on their own websites without being reviewed by the appstore. Others can download it and install it without device authorization, and there is no limit to the device limit, so any application signed by the certificate can be installed, regardless of whether the target IOS device is jailbroken or not. And the monitoring tool is a hidden newspaper app, so it can be distributed to any IOS device. However, Apple has issued some security warnings that require unjailbroken users to click trust to install the app, but users generally ignore apps downloaded from corporate websites.

It can also be bundled with jailbreak tools and installed directly on the user’s phone, or by clicking on a few download links, email and so on.

0 x04 summary


Apple has done a lot of work to protect non-jailbroken users from malware, and it has been publicly reported that surveillance software can only infect jailbroken IOS devices, so it seems that non-jailbroken users are safe. The misuse of Hacking Team’s corporate certificates has led to malicious surveillance tools spreading and causing great harm to non-jailbroken users. Apple recently revoked the Hacking Team’s corporate certificates, but the potential threat still exists. Users should also pay attention to the source of third-party apps when downloading them.

To check whether your mobile phone is equipped with remote monitoring, perform the following operations:

Check whether the application has an empty name. 2. Check whether the third-party keyboard named app.keyboard is displayed in Settings > General > KeyboardCopy the code

Some safety tips:

1. Add a password. A lot of spyware security requires physical contact, and adding passwords makes them harder to attack. 2. Don't download apps from third-party markets or links. 3. Try not to jailbreak your phone, and don't add trust if you don't know what software is requesting permission 4. Download security programs and scan your phone's system regularly, such as CM Security.Copy the code