Detecting spyware for iPhones
There are days where I wonder if people really care about privacy (except for these people). Most people don’t see any problem in telling the entire world what they’re doing (Twitter), who they know or see (Facebook) or where they are: the kind of stuff teenagers hate to tell their parents.
Mobile phones are just the perfect platform for spying because they are portable (iPhones are such beauties one hates to leave them behind!) and seen as private devices (would you share your nice iPhone, huh?). Depending on functionalities, mobile spyware record and forward incoming and outgoing SMS, MMS, voice calls, geographic location etc.
Recently, I finally laid my hands on an iPhone spyware sample. Actually, it has probably been out for a while, but I was surprised to discover nobody seemed to detect it yet. The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware’s repository and then install the two spyware packages:
SmsTrapUI: a user interface package to assist the spy into installing the spyware. Once the spyware is configured, the spy can erase this package:
Std: the spyware daemon. It installs in /usr/sbin and does not display any new icon on the iPhone’s springboard. This daemon collects information on SMS (phone number, text, timestamp and incoming/outgoing indicator) and sends it to a SQL database of the spyware’s website.
Okay, so the spyware installs and works. As an antivirus analyst, my next task then consisted in getting original samples onto my work host (the host where I work out detections for malware). I could have connected onto the iPhone via SSH iPhone Tunnel Suite, but then I would have had to parse all directories the packages had installed files into, and retrieve them. I settled for a simpler solution: Cydia uses Debian-style repositories, so I directly downloaded the samples from there. Debian-style repositories typically include two files:
Release and Packages (or Packages.bz2). So, I first downloaded Release: $ wget http://xxxxx/x/Release $ cat Release Origin: ST Label: ST Suite: stable Version: 1.0 Codename: st Architectures: iphoneos-arm Components: main Description: ST Main repository 248bf63c4e179ef82d4fe4ba86a42c03 547 main/binary-iphoneos-arm/Packages 3b6d6f28d5346f9d911a067fccb64f5f 335 main/binary-iphoneos-arm/Packages.bz2
The Release file mentions both Packages and Packages.bz2 exist, so I then downloaded Packages: $ wget http://xxxxx/x/Packages $ cat Packages MD5Sum: 762bf733c5a9b03b787c23ffc64d63a7 Maintainer: ST Team Description: ST Daemon. Package: com.st.std Section: Utilities Author: ST Team Filename: ./std-1.1-1_iphoneos-arm.deb Version: 1.1-1 Architecture: iphoneos-arm Size: 11634 Name: STD
MD5Sum: bed10acddc436a5dfdb77a35dc6e74ad Maintainer: ST Team Description: SmsTrap User Interface Package: com.st.SmsTrapUI Section: Utilities Author: ST Team Filename: ./SmsTrapUI-1.1-1_iphoneos-arm.deb Depends: com.st.std, quickload Version: 1.1-1 Architecture: iphoneos-arm Size: 26184 Name: SmsTrap
The Packages file provides the name of the 2 packages: $ wget http://xxxxx/x/SmsTrapUI-1.1-1_iphoneos-arm.deb $ wget http://xxxxx/x/std-1.1-1_iphoneos-arm.deb
I can now unpack the .deb packages, and detect the relevant parts of the spyware.