by RSS Axelle Apvrille  |  Feb 13, 2015  |  Filed in: Security Research

Recently, a new malware for iOS devices was discovered apparently part of the Pawn Storm operation. We've investigated.

Update 2015/02/19:

  1. The BuildMachineOSBuild is actually shared with 9 other Mac devices, so the author may have been working also on a MacBook Air 11'', MacBook Pro 15'' etc.
  2. The following features of Pawn Storm apparently do not require jailbreak: getting phone info (device model etc), test existence of jailbreak, list running processes, get wifi status, geolocation.
  3. Some other features don't require jailbreak either but will need user authorization or will be limited: read contact list, list directory, record voice, get photo library.

 

Update 2015/02/16 :

  1. LSRequiresIPhoneOS does not mean iPads cannot be targeted, but OSX cannot be targeted.
  2. The fact the malware author is not a native English speaker is only a guess. When it comes to intelligence data, there are seldom 100% guarantees... However, in several cases (e.g Android/Foncy), we see that comments, names or meta-data are often quite accurate.
  3. As the jailbreak test indicates, some of the malware's features may not be accessible to non-jailbroken phones. We'll check exactly which ones and let you know.

Are there risks I may be infected by Pawn Storm on my iPhone?

If you are a military official, a defense contractor (etc) and have iOS 7.1 or more, double check your iPhone even if it is not jailbroken because this malware appears to be running on iPhones, jailbroken or not.
I'll emphasize this one for some followers: yes, this malware does run on non jailbroken iPhones.

If you are infected, you'll probably notice the battery drain. Among other reasons, this is due to the fact the malware author retrieves your geographic location with 'no' distance filter. This means that the GPS will always be on and reporting your location, even for small distance updates. However, don't worry about it if your location services are disabled: the feature won't work, the malware does not have the capability of turning it on.

Decompilation of iOS/PawnStorm.A!tr.spy showing the malware retrieving GPS location with no distance filter

If you are running iOS 8, you will certainly also notice an application named 'XAgent' on your iPhone. This icon is hidden on iOS 7.x, using the tweak below, but it does not work on iOS 8.

(Lucky) case where XAgent shows on the iPhone

<key>SBAppTags</key>
    <array>
           <string>hidden</string>
    </array>

If your iPhone is running iOS 7.1 or greater but you have no particular reason to be targeted for spying, it is unlikely you'll be affected because the malware probably wasn't distributed massively, but only to targeted victims.
In particular, it is very unlikely the malware could have been on the Apple Store because the hiding mechanism we just mentioned usually gets the application banned from the store.

 

Who wrote the malware?

Of course, we don't know exactly, but the application's plist (similar to an Android manifest) yields quite interesting information:

<key>BuildMachineOSBuild</key>
  <string>13E28</string>
..
<key>DTXcode</key>
  <string>0511</string>
<key>DTXcodeBuild</key>
  <string>5B1008</string>
..
<key>LSRequiresIPhoneOS</key>
  <true/>
  • The malware author might have compiled on an iMac 21.5-inch, released Mid 2014 or 9 other devices which share the same BuildMachineOSBuild
  • The malware author genered the code using XCode 5.1.1 (DTXcodeBuild)
  • The malware does not target OSX (like iOS/WireLurker)

Finally, the various typos in the code suggests that the author is not an English native (or has dyslexia ;). Of course, he/she could also be intentionally inserting English errors: impossible to know!

What does the malware do?

To summarize the malware's goals, it fetches commands via HTTP GET from a remote C&C, and uploads information via HTTP POST. The command it recognizes are listed in the table below.

0 Get Info Device
1 Start Record
2 Get Audio File
3 Get Contact List
4 Current Location
5 Get Installed Apps
6 Wifi Status
7 Get all Pictures from Photo Library
8 List a given directory
9 Get a given file
10 Get process list
11 Get SMS

The code shows a few interesting things:

  • The malware checks if the device is jailbroken or not by looking if there are files in /private/var/lib/apt.
  • The malware retrieves the phone number from /private/var/wireless/Library/Preferences/com.apple.commcenter.plist. That's what's on our phone for example:
    <dict>
            <key>CarrierBundleName</key>
            <string>20810</string>
            <key>ICCID</key>
            <string>89XXXXXXXXXXXXXXXXXXXX</string>
            <key>LASDNextUpdate</key>
            <date>2015-02-22T10:19:13.915174Z</date>
            <key>NextUpdate</key>
            <date>2015-01-30T17:26:37.694534Z</date>
            <key>PhoneNumber</key>
            <string>+XXXXXXXXXXX</string>
    </dict>
    
  • The malware can exfiltrate audio records, contacts lists, SMS messages, photos, list of installed applications on the device. It can also be used to exfiltrate targeted information because it has commands to list the contents of directory, retrieve a given file and show running processes.

Decompilation of the code of the malware showing the commands that lists the content of a directory

 

For a more detailed description of the malware, please see the technical description of iOS/PawnStorm.A!tr.spy.


Also, note another iOS malware was discovered by Trend Micro. That one requires jailbreaking and is described here (iOS/PawnStorm.B!tr.spy). It shows striking similarities with code displayed here.


Thanks to Trend Micro for sharing the samples, and to Ruchna Nigam (Fortinet) for testing in our lab.

-- the Crypto Girl

by RSS Axelle Apvrille  |  Feb 13, 2015  |  Filed in: Security Research