https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=BrittaThe iPhone Wiki - User contributions [en]2026-05-06T20:59:09ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=57939Malware for iOS2017-07-04T04:47:39Z<p>Britta: updated link</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/2014/06/09/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
Related research: [https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/wang_tielei "On the Feasibility of Large-Scale Infections of iOS Devices"] (August 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
=== AceDeceiver (March 2016) ===<br />
<br />
AceDeceiver, [https://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/ reported by Claud Xiao of Palo Alto Networks], is malware for non-jailbroken iOS devices. It gets on non-jailbroken devices through a desktop application that exploits design flaws in Apple’s DRM mechanism to install a malicious iOS app from the App Store. It can install the malicious app even after the app is removed from the App Store, and it doesn't require [[Misuse of enterprise and developer certificates|misusing an enterprise certificate]].<br />
<br />
=== Safari JavaScript pop-up scareware (March 2017) ===<br />
<br />
[https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/ Lookout reported] that scammers had "abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying. However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom."<br />
<br />
iOS 10.3 changed the handling of JavaScript pop-ups to prevent this problem, making pop-ups "per-tab rather than taking over the entire app".<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
In June 2017, [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html?_r=0 the New York Times reported] that the Mexican government used Pegasus to target human rights lawyers, journalists and anti-corruption activists.<br />
<br />
=== Cellebrite (February 2017) ===<br />
<br />
As reported by [https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite Motherboard in February 2017], Cellebrite is "an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies". According to leaked information, "much of the iOS-related code is very similar to that used in the jailbreaking scene", such as [[limera1n]] and [[QuickPwn]], with additions: "some of the code in the dump was designed to brute force PIN numbers". The leaked files are [https://www.reddit.com/r/jailbreak/comments/5rtffh/newsfirm_that_helped_fbi_break_into_san/ddan91v/ available online].<br />
<br />
=== CIA "Vault 7" materials (March 2017) ===<br />
<br />
On March 7, 2017, WikiLeaks [https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html released a collection of CIA documents called Vault 7], dated from 2013 to 2016, that include information about CIA hacking tools for iOS devices. The materials include [https://wikileaks.org/ciav7p1/cms/space_2359301.html documentation for CIA iOS exploitation research] and [https://wikileaks.org/ciav7p1/cms/page_13205587.html a list of iOS exploits they have].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=57938Malware for iOS2017-07-04T04:45:31Z<p>Britta: adding AceDeceiver, Pegasus news, research link</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
Related research: [https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/wang_tielei On the Feasibility of Large-Scale Infections of iOS Devices] (August 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
=== AceDeceiver (March 2016) ===<br />
<br />
AceDeceiver, [https://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/ reported by Claud Xiao of Palo Alto Networks], is malware for non-jailbroken iOS devices. It gets on non-jailbroken devices through a desktop application that exploits design flaws in Apple’s DRM mechanism to install a malicious iOS app from the App Store. It can install the malicious app even after the app is removed from the App Store, and it doesn't require [[Misuse of enterprise and developer certificates|misusing an enterprise certificate]].<br />
<br />
=== Safari JavaScript pop-up scareware (March 2017) ===<br />
<br />
[https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/ Lookout reported] that scammers had "abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying. However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom."<br />
<br />
iOS 10.3 changed the handling of JavaScript pop-ups to prevent this problem, making pop-ups "per-tab rather than taking over the entire app".<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
In June 2017, [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html?_r=0 the New York Times reported] that the Mexican government used Pegasus to target human rights lawyers, journalists and anti-corruption activists.<br />
<br />
=== Cellebrite (February 2017) ===<br />
<br />
As reported by [https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite Motherboard in February 2017], Cellebrite is "an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies". According to leaked information, "much of the iOS-related code is very similar to that used in the jailbreaking scene", such as [[limera1n]] and [[QuickPwn]], with additions: "some of the code in the dump was designed to brute force PIN numbers". The leaked files are [https://www.reddit.com/r/jailbreak/comments/5rtffh/newsfirm_that_helped_fbi_break_into_san/ddan91v/ available online].<br />
<br />
=== CIA "Vault 7" materials (March 2017) ===<br />
<br />
On March 7, 2017, WikiLeaks [https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html released a collection of CIA documents called Vault 7], dated from 2013 to 2016, that include information about CIA hacking tools for iOS devices. The materials include [https://wikileaks.org/ciav7p1/cms/space_2359301.html documentation for CIA iOS exploitation research] and [https://wikileaks.org/ciav7p1/cms/page_13205587.html a list of iOS exploits they have].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=56960Malware for iOS2017-04-10T00:05:01Z<p>Britta: /* Tools found in the wild that target the public */ adding recent pop-up scareware</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool.<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
=== Safari JavaScript pop-up scareware (March 2017) ===<br />
<br />
[https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/ Lookout reported] that scammers had "abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying. However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom."<br />
<br />
iOS 10.3 changed the handling of JavaScript pop-ups to prevent this problem, making pop-ups "per-tab rather than taking over the entire app".<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
=== Cellebrite (February 2017) ===<br />
<br />
As reported by [https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite Motherboard in February 2017], Cellebrite is "an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies". According to leaked information, "much of the iOS-related code is very similar to that used in the jailbreaking scene", such as [[limera1n]] and [[QuickPwn]], with additions: "some of the code in the dump was designed to brute force PIN numbers". The leaked files are [https://www.reddit.com/r/jailbreak/comments/5rtffh/newsfirm_that_helped_fbi_break_into_san/ddan91v/ available online].<br />
<br />
=== CIA "Vault 7" materials (March 2017) ===<br />
<br />
On March 7, 2017, WikiLeaks [https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html released a collection of CIA documents called Vault 7], dated from 2013 to 2016, that include information about CIA hacking tools for iOS devices. The materials include [https://wikileaks.org/ciav7p1/cms/space_2359301.html documentation for CIA iOS exploitation research] and [https://wikileaks.org/ciav7p1/cms/page_13205587.html a list of iOS exploits they have].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=55898Malware for iOS2017-03-08T02:55:31Z<p>Britta: noting Vault 7 materials</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
=== Cellebrite (February 2017) ===<br />
<br />
As reported by [https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite Motherboard in February 2017], Cellebrite is "an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies". According to leaked information, "much of the iOS-related code is very similar to that used in the jailbreaking scene", such as [[limera1n]] and [[QuickPwn]], with additions: "some of the code in the dump was designed to brute force PIN numbers". The leaked files are [https://www.reddit.com/r/jailbreak/comments/5rtffh/newsfirm_that_helped_fbi_break_into_san/ddan91v/ available online].<br />
<br />
=== CIA "Vault 7" materials (March 2017) ===<br />
<br />
On March 7, 2017, WikiLeaks [https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html released a collection of CIA documents called Vault 7], dated from 2013 to 2016, that include information about CIA hacking tools for iOS devices. The materials include [https://wikileaks.org/ciav7p1/cms/space_2359301.html documentation for CIA iOS exploitation research] and [https://wikileaks.org/ciav7p1/cms/page_13205587.html a list of iOS exploits they have].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Hacking_Team&diff=55801Hacking Team2017-02-26T00:14:28Z<p>Britta: linking malware for iOS</p>
<hr />
<div>'''Hacking Team''' is a company that [https://en.wikipedia.org/wiki/Hacking_Team "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies"], including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public.<br />
<br />
See [[malware for iOS]] for context and a list of similar tools.<br />
<br />
== Remote Control System tool (requires jailbreak) ==<br />
<br />
In June 2014, security researchers [http://www.wired.com/2014/06/remote-control-system-phone-surveillance/ published details about Hacking Team's iOS spyware tool], discovered via reverse engineering it. This research [http://www.macworld.com/article/2944712/hacking-team-hack-reveals-why-you-shouldnt-jailbreak-your-iphone.html got confirmed in July 2015 by a data breach] that revealed Hacking Team's internal documentation and pricing for this tool and related tools. (This was big news because the documents also had evidence that Hacking Team [http://www.theguardian.com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-to-repressive-regimes-documents-claim sold these tools to repressive governments].)<br />
<br />
[https://drive.google.com/file/d/0B2q69Ncu9Fp_TF9XeFF3VFUwa2s/view The revealed "Remote Control System" documentation] includes on page 7 a description of the iOS tool: it requires a jailbreak, it's compatible with iOS 4-8.1, and it provides monitoring of chat (Skype, WhatsApp, and Viber), location, contacts, and list of calls. It costs about $55,000, purchased in conjunction with supporting tools and services.<br />
<br />
Context for that tool is that other spyware tools for jailbroken iOS also exist - for example, there is a MSpy spyware tool distributed via the BigBoss repository, which consumers can buy for $10-15 dollars a month. With MSpy and other consumer-level spyware tools (there are several for iOS), you have to physically arrange for your target's phone to be jailbroken and then somebody has to manually install the tool.<br />
<br />
=== Hacking Team tools for jailbreaking devices ===<br />
<br />
Hacking Team's spyware tool also relies on a device being jailbroken with a publicly-available jailbreak tool (or perhaps a custom tool built on top of a publicly-available jailbreak). Using public tools means that they have some of the same limitations as consumers: jailbreaking iOS 6-8 requires that the device passcode is disabled during the jailbreaking process, and recent jailbreaks also require that Find My iPhone is turned off.<br />
<br />
Hacking Team has other pieces of malware for OS X and iOS that they may be able to combine to ease the process of jailbreaking the device and installing the spyware, probably with the help of their expertise in [https://en.wikipedia.org/wiki/Phishing#List_of_phishing_types spearphishing] attacks and other kinds of [https://en.wikipedia.org/wiki/Social_engineering_(security) social engineering] attacks. [http://www.wired.com/2014/06/remote-control-system-phone-surveillance/ This Wired article about last year's security research] explains a way that could happen:<br />
<br />
<blockquote>"The iOS spy module works only on jailbroken iPhones, but agents can simply run a jailbreaking tool and then install the spyware. The only thing protecting a user from a surreptitious jailbreak is enabling a password on the device. But if the device is connected to a computer infected with Da Vinci or Galileo software and the user unlocks the device with a password, the malware on the computer can surreptitiously jailbreak the phone to install the spy tool."</blockquote><br />
<br />
Will Strafach ([[User:ChronicDev]]) said on Twitter that there is no evidence for Hacking Team being able to jailbreak without physical access:<br />
* [https://twitter.com/chronic/status/618402672580927488 "condensed summary of avoiding HackingTeam malware: 1. always use latest iOS version 2. if you jailbreak, don't use AFC2, set strong SSH pw"]<br />
* [https://twitter.com/chronic/status/618403092489445376 "the funny part is, jailbreaking neuters other aspects of security that someone like HackingTeam could take advantage of. but they do not."]<br />
* [https://twitter.com/chronic/status/618403420748296192 "reason HT does not take advantage of smarter tricks is that they do not target jailbreakers, rather, they use jailbreaks on vuln devices"]<br />
* [https://twitter.com/chronic/status/618403639057641472 "this is all quite easy to find in their docs, it baffles me to see "don't jailbreak" as the solution. it is not _at all_ the solution."]<br />
* [https://twitter.com/chronic/status/618403857383718912 "they are very clear that their client is meant to jailbreak the device of the victim. meaning they need physical access to your iOS device."]<br />
* [https://twitter.com/chronic/status/618404128834912257 "some say HackingTeam could use malware to infect your computer to silently deploy the jailbreak, but there is zero proof of that in dump."]<br />
<br />
[[i0n1c]] also said on Twitter that physical access seems required:<br />
* [https://twitter.com/i0n1c/status/618106184952881152 "Every time a HT / FF leak is in the press people "re-discover" that their iOS implants require physical access to apply a jailbreak first."]<br />
* [https://twitter.com/i0n1c/status/618040048064331777 "yes it is long known that public jailbreaks get used to infect iOS devices instead of 0-day jailbreaks by HT and friends."]<br />
* [https://twitter.com/i0n1c/status/618109788883451904 "it seems iOS 0-day is too expensive (or unreachable) so they repurpose public JB. e.g. patch to install other packages."]<br />
<br />
== Newsstand keylogger tool (doesn't require jailbreak) ==<br />
<br />
[http://www.macworld.com/article/2944712/hacking-team-hack-reveals-why-you-shouldnt-jailbreak-your-iphone.html This MacWorld article] reports that Hacking Team also has spyware that doesn't require a jailbreak, via [[misuse of developer certificates]]:<br />
<br />
<blockquote>"Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software."</blockquote><br />
<br />
== Discussion ==<br />
<br />
More commentary from Will Strafach ([[User:ChronicDev]]):<br />
* [https://twitter.com/chronic/status/618860492224921600 "the HackingTeam iOS malware is far more lame than it could have been. they don't even seem to know they could bypass Location permissions."]<br />
* [https://twitter.com/chronic/status/618901783843311616 "I am not sure why people are laughing at HackingTeam statement of bad actors now being able to use their spy malware. they are not wrong."]<br />
* [https://twitter.com/chronic/status/619317034862706688 infecting an already jail broken device silently is apparently worth $18mm. wow. https://wikileaks.org/hackingteam/emails/emailid/21089"]<br />
* [https://twitter.com/chronic/status/619374025291075584 "apparently HackingTeam brought up using greenpois0n to infect devices when we open sourced it. looks like they couldn't even implement it."]<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=55800Malware for iOS2017-02-26T00:11:13Z<p>Britta: adding cellebrite</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
=== Cellebrite (February 2017) ===<br />
<br />
As reported by [https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite Motherboard in February 2017], Cellebrite is "an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies". According to leaked information, "much of the iOS-related code is very similar to that used in the jailbreaking scene", such as [[limera1n]] and [[QuickPwn]], with additions: "some of the code in the dump was designed to brute force PIN numbers". The leaked files are [https://www.reddit.com/r/jailbreak/comments/5rtffh/newsfirm_that_helped_fbi_break_into_san/ddan91v/ available online].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=54027Malware for iOS2016-08-26T04:47:33Z<p>Britta: /* Pegasus (August 2016) */ more detail</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident to silently jailbreak the target device, and then it installs malware. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=54026Malware for iOS2016-08-26T04:40:07Z<p>Britta: adding Pegasus</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is malware that “will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity.” It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Pegasus (August 2016) ===<br />
<br />
Pegasus is a spyware product for iOS built by NSO Group, sold to governments, which has been used for attacks against political dissidents. It uses a chain of exploits nicknamed Trident. Lookout Security described it in [https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ a post] and [https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf a technical analysis]. Citizen Lab wrote [https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ a post about its use].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=/Applications/MobileNotes.app&diff=53573/Applications/MobileNotes.app2016-07-23T23:37:48Z<p>Britta: adding conversion script</p>
<hr />
<div>[[Notes]] is the built-in system application to take quick text notes. To backup or restore the data of this application without [[iTunes]], the following information might be useful. Initial data for this analysis comes from an [[N88AP|iPhone 3GS]] with firmware 3.1.3, which was later restored / upgraded to an [[N90AP|iPhone 4]] and finally to an [[N94AP|iPhone 4S]] with iOS 5.0.1. On lower or higher firmware versions there might be small differences in the data.<br />
<br />
In the folder <code>/var/mobile/Library/Notes/</code> there are two files:<br />
*<code>notes.sqlite</code><br />
*<code>notes.idx</code><br />
The second file is probably used for indexing and can be recreated if deleted (?). Looking at the file <code>notes.sqlite</code>, this is an [http://www.sqlite.org/ SQLite database] with the following tables in it:<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!Z_ENT<br />
!table name<br />
!name2<br />
|-<br />
|<br />
|sqlite_master<br />
|<br />
|-<br />
|1<br />
|ZACCOUNT<br />
|Account<br />
|-<br />
|2<br />
|ZNEXTID<br />
|NextId<br />
|-<br />
|3<br />
|ZNOTE<br />
|Note<br />
|-<br />
|4<br />
|ZNOTEBODY<br />
|NoteBody<br />
|-<br />
|5<br />
|ZNOTECHANGE<br />
|NoteChange<br />
|-<br />
|6<br />
|ZPROPERTY<br />
|Property<br />
|-<br />
|7<br />
|ZSTORE<br />
|Store<br />
|-<br />
|<br />
|Z_PRIMARYKEY<br />
|<br />
|-<br />
|<br />
|Z_METADATA<br />
|<br />
|}<br />
The name2 in this list is the value used for the hash in NSStoreModelVersionHashes in the bplist of the field Z_PLIST in the table Z_METADATA. The same name2 is used in the table Z_PRIMARYKEY, field Z_NAME.<br />
<br />
The following indexes are defined:<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!index name<br />
!table name<br />
!field name<br />
|-<br />
|ZACCOUNT_ZDEFAULTSTORE_INDEX<br />
|ZACCOUNT<br />
|ZDEFAULTSTORE<br />
|-<br />
|ZNOTE_ZINTEGERID_INDEX<br />
|ZNOTE<br />
|ZINTEGERID<br />
|-<br />
|ZNOTE_ZSTORE_INDEX<br />
|ZNOTE<br />
|ZSTORE<br />
|-<br />
|ZNOTE_ZBODY_INDEX<br />
|ZNOTE<br />
|ZBODY<br />
|-<br />
|ZNOTEBODY_ZOWNER_INDEX<br />
|ZNOTEBODY<br />
|ZOWNER<br />
|-<br />
|ZNOTECHANGE_ZSTORE_INDEX<br />
|ZNOTECHANGE<br />
|ZSTORE<br />
|-<br />
|ZSTORE_ZACCOUNT_INDEX<br />
|ZSTORE<br />
|ZACCOUNT<br />
|}<br />
<br />
==Tables==<br />
===sqlite_master===<br />
This table is contained in every SQLite database and contains general information about the content. It has these fields:<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!description<br />
|-<br />
|type<br />
|style="text-align:left;" | either 'table' or 'index'<br />
|-<br />
|name<br />
|style="text-align:left;" | name of the table or index<br />
|-<br />
|tbl_name<br />
|style="text-align:left;" | same as name for table, related table name for index<br />
|-<br />
|rootpage<br />
|style="text-align:left;" | integer, internal id where to find the data (?)<br />
|-<br />
|sql<br />
|style="text-align:left;" | creation statement<br />
|}<br />
<br />
This is the content of this table:<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!type<br />
!name<br />
!tbl_name<br />
!rootpage<br />
!sql<br />
|-<br />
|table<br />
|ZACCOUNT<br />
|ZACCOUNT<br />
|3<br />
|style="text-align:left;" | CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTYPE INTEGER, ZDEFAULTSTORE INTEGER, ZNAME VARCHAR, ZACCOUNTIDENTIFIER VARCHAR, ZCONSTRAINTSPATH VARCHAR )<br />
|-<br />
|table<br />
|ZNEXTID<br />
|ZNEXTID<br />
|5<br />
|style="text-align:left;" | CREATE TABLE ZNEXTID ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNTER INTEGER )<br />
|-<br />
|table<br />
|ZNOTE<br />
|ZNOTE<br />
|6<br />
|style="text-align:left;" | CREATE TABLE ZNOTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCONTENTTYPE INTEGER, ZDELETEDFLAG INTEGER, ZINTEGERID INTEGER, ZCONTAINSCJK INTEGER, ZEXTERNALSERVERINTID INTEGER, ZEXTERNALFLAGS INTEGER, ZISBOOKKEEPINGENTRY INTEGER, ZSTORE INTEGER, ZBODY INTEGER, ZCREATIONDATE TIMESTAMP, ZMODIFICATIONDATE TIMESTAMP, ZTITLE VARCHAR, ZGUID VARCHAR, ZAUTHOR VARCHAR, ZSERVERID VARCHAR, ZSUMMARY VARCHAR )<br />
|-<br />
|table<br />
|ZNOTEBODY<br />
|ZNOTEBODY<br />
|10<br />
|style="text-align:left;" | CREATE TABLE ZNOTEBODY ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZOWNER INTEGER, ZCONTENT VARCHAR, ZEXTERNALCONTENTREF VARCHAR, ZEXTERNALREPRESENTATION BLOB )<br />
|-<br />
|table<br />
|ZNOTECHANGE<br />
|ZNOTECHANGE<br />
|12<br />
|style="text-align:left;" | CREATE TABLE ZNOTECHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZSTORE INTEGER, ZNOTESERVERINTIDS BLOB, ZNOTEINTEGERIDS BLOB, ZNOTESERVERIDS BLOB )<br />
|-<br />
|table<br />
|ZPROPERTY<br />
|ZPROPERTY<br />
|14<br />
|style="text-align:left;" | CREATE TABLE ZPROPERTY ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZPROPERTYKEY VARCHAR, ZPROPERTYVALUE BLOB )<br />
|-<br />
|table<br />
|ZSTORE<br />
|ZSTORE<br />
|15<br />
|style="text-align:left;" | CREATE TABLE ZSTORE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZACCOUNT INTEGER, ZEXTERNALIDENTIFIER VARCHAR, ZNAME VARCHAR, ZSYNCANCHOR VARCHAR )<br />
|-<br />
|table<br />
|Z_PRIMARYKEY<br />
|Z_PRIMARYKEY<br />
|17<br />
|style="text-align:left;" | CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)<br />
|-<br />
|table<br />
|Z_METADATA<br />
|Z_METADATA<br />
|18<br />
|style="text-align:left;" | CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)<br />
|-<br />
|index<br />
|ZACCOUNT_ZDEFAULTSTORE_INDEX<br />
|ZACCOUNT<br />
|4<br />
|style="text-align:left;" | CREATE INDEX ZACCOUNT_ZDEFAULTSTORE_INDEX ON ZACCOUNT (ZDEFAULTSTORE)<br />
|-<br />
|index<br />
|ZNOTE_ZINTEGERID_INDEX<br />
|ZNOTE<br />
|7<br />
|style="text-align:left;" | CREATE INDEX ZNOTE_ZINTEGERID_INDEX ON ZNOTE (ZINTEGERID)<br />
|-<br />
|index<br />
|ZNOTE_ZSTORE_INDEX<br />
|ZNOTE<br />
|8<br />
|style="text-align:left;" | CREATE INDEX ZNOTE_ZSTORE_INDEX ON ZNOTE (ZSTORE)<br />
|-<br />
|index<br />
|ZNOTE_ZBODY_INDEX<br />
|ZNOTE<br />
|9<br />
|style="text-align:left;" | CREATE INDEX ZNOTE_ZBODY_INDEX ON ZNOTE (ZBODY)<br />
|-<br />
|index<br />
|ZNOTEBODY_ZOWNER_INDEX<br />
|ZNOTEBODY<br />
|11<br />
|style="text-align:left;" | CREATE INDEX ZNOTEBODY_ZOWNER_INDEX ON ZNOTEBODY (ZOWNER)<br />
|-<br />
|index<br />
|ZNOTECHANGE_ZSTORE_INDEX<br />
|ZNOTECHANGE<br />
|13<br />
|style="text-align:left;" | CREATE INDEX ZNOTECHANGE_ZSTORE_INDEX ON ZNOTECHANGE (ZSTORE)<br />
|-<br />
|index<br />
|ZSTORE_ZACCOUNT_INDEX<br />
|ZSTORE<br />
|16<br />
|style="text-align:left;" | CREATE INDEX ZSTORE_ZACCOUNT_INDEX ON ZSTORE (ZACCOUNT)<br />
|}<br />
Please note that the values for rootpage might differ in every database.<br />
<br />
===Z_PRIMARYKEY===<br />
This is used by the framework and holds an entry for every table. These are the fields in there:<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!description<br />
|-<br />
|Z_ENT<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | The identifier of the table<br />
|-<br />
|Z_NAME<br />
|VARCHAR<br />
|style="text-align:left;" | one of these values: 'Account', 'NextId', 'Note', 'NoteBody', 'NoteChange', 'Property', 'Store'<br />
|-<br />
|Z_SUPER<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|Z_MAX<br />
|INTEGER<br />
|style="text-align:left;" | highest Z_PK in the according table<br />
|}<br />
<br />
===Z_METADATA===<br />
This table is used by the framework and holds configuration data. There is only one record in the table.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!description<br />
|-<br />
|Z_VERSION<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | value 1<br />
|-<br />
|Z_UUID<br />
|VARCHAR(255)<br />
|style="text-align:left;" | value 'D1694631-D07A-4223-9A61-42689DA4C76A' (?)<br />
|-<br />
|Z_PLIST<br />
|BLOB<br />
|style="text-align:left;" | binary plist<br />
|}<br />
<br />
The bplist holds this data:<br />
*LastIndexTidAlreadySetUp=true<br />
*LocalAccountAndStoreAlreadySetUp=false<br />
*NSPersistenceFrameworkVersion=386<br />
*NSStoreModelVersionHashes=dict:<br />
**Account=*<br />
**NextId=*<br />
**Note=*<br />
**NoteBody=*<br />
**NoteChange=*<br />
**Property=*<br />
**Store=*<br />
*NSStoreModelVersionHashesVersion=3<br />
*NSStoreModelVersionIdentifiers=array:<br />
**(one empty string)<br />
*NSStoreType=SQLite<br />
<nowiki>*</nowiki>data, base64 encoded 32-byte hash (calculation?)<br />
<br />
===ZSTORE===<br />
This table has only one record in it.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | 7 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | 193 (?)<br />
|-<br />
|ZACCOUNT<br />
|INTEGER<br />
|style="text-align:left;" | 1 (foreign key to ZACCOUNT table)<br />
|-<br />
|ZEXTERNALIDENTIFIER<br />
|VARCHAR<br />
|style="text-align:left;" | 'local://local/store'<br />
|-<br />
|ZNAME<br />
|VARCHAR<br />
|style="text-align:left;" | 'LOCAL_NOTES_STORE'<br />
|-<br />
|ZSYNCANCHOR<br />
|VARCHAR<br />
|style="text-align:left;" | NULL<br />
|}<br />
<br />
===ZACCOUNT===<br />
This table has only one record in it. Maybe these entries define different [[iTunes]] users. (?)<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | 1 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | 1 (?)<br />
|-<br />
|ZTYPE<br />
|INTEGER<br />
|style="text-align:left;" | 0 (?)<br />
|-<br />
|ZDEFAULTSTORE<br />
|INTEGER<br />
|style="text-align:left;" | 1 (foreign key to ZSTORE table)<br />
|-<br />
|ZNAME<br />
|VARCHAR<br />
|style="text-align:left;" | 'LOCAL_NOTES_ACCOUNT'<br />
|-<br />
|ZACCOUNTIDENTIFIER<br />
|VARCHAR<br />
|style="text-align:left;" | 'local://local/account'<br />
|-<br />
|ZCONSTRAINTSPATH<br />
|VARCHAR<br />
|style="text-align:left;" | NULL<br />
|}<br />
<br />
===ZNEXTID===<br />
This table has only one record in it.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | 2 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | 31 (?)<br />
|-<br />
|ZCOUNTER<br />
|INTEGER<br />
|style="text-align:left;" | 320 (?)<br />
|}<br />
<br />
===ZPROPERTY===<br />
This table contains three rows.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | always 6 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | unknown (?), values 186 / 27 / 27<br />
|-<br />
|ZPROPERTYKEY<br />
|VARCHAR<br />
|style="text-align:left;" | values 'LastTransactionID' / 'DeviceSyncAnchorKey' / 'ComputerSyncAnchorKey'<br />
|-<br />
|ZPROPERTYVALUE<br />
|BLOB<br />
|NULL for the two AnchorKeys, but LastTransactionID contains a value - beginning with BLOB from other table.<br />
|}<br />
<br />
<br />
===ZNOTE===<br />
This table contains general infos about each note. There is one record for every note.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | always 3 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | unknown (?), the values 1,2,5,9,12,31,32 are being used here<br />
|-<br />
|ZCONTENTTYPE<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|ZDELETEDFLAG<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|ZINTEGERID<br />
|INTEGER<br />
|style="text-align:left;" | always the value of Z_PK multiplied by 10<br />
|-<br />
|ZCONTAINSCJK<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|ZEXTERNALSERVERINTID<br />
|INTEGER<br />
|style="text-align:left;" | always -4294967296 (?)<br />
|-<br />
|ZEXTERNALFLAGS<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|ZISBOOKKEEPINGENTRY<br />
|INTEGER<br />
|style="text-align:left;" | always 0<br />
|-<br />
|ZSTORE<br />
|INTEGER<br />
|style="text-align:left;" | always 1 (foreign key to ZSTORE table)<br />
|-<br />
|ZBODY<br />
|INTEGER<br />
|style="text-align:left;" | foreign key to ZNOTEBODY table, value matches Z_PK of this table<br />
|-<br />
|ZCREATIONDATE<br />
|TIMESTAMP<br />
|style="text-align:left;" | creation date and time of the note<br />
|-<br />
|ZMODIFICATIONDATE<br />
|TIMESTAMP<br />
|style="text-align:left;" | last modification date and time of the note<br />
|-<br />
|ZTITLE<br />
|VARCHAR<br />
|style="text-align:left;" | title for overview list<br />
|-<br />
|ZGUID<br />
|VARCHAR<br />
|style="text-align:left;" | always NULL<br />
|-<br />
|ZAUTHOR<br />
|VARCHAR<br />
|style="text-align:left;" | always NULL<br />
|-<br />
|ZSERVERID<br />
|VARCHAR<br />
|style="text-align:left;" | always NULL<br />
|-<br />
|ZSUMMARY<br />
|VARCHAR<br />
|style="text-align:left;" | short text<br />
|}<br />
For the two date / time fields in this table: This is a floating point number and indicates the number of seconds since 1 January 2001.<br />
<br />
===ZNOTEBODY===<br />
This table contains general infos about each note. There is one record for every note.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | always 4 (table identifier)<br />
|-<br />
|Z_OPT<br />
|INTEGER<br />
|style="text-align:left;" | unknown (?), the values 1,2,3,5,9,10,12,31,32 are being used here<br />
|-<br />
|ZOWNER<br />
|INTEGER<br />
|style="text-align:left;" | always matches Z_PK<br />
|-<br />
|ZCONTENT<br />
|VARCHAR<br />
|style="text-align:left;" | '''This is the actual content text (HTML format).'''<br />
|-<br />
|ZEXTERNALCONTENTREF<br />
|VARCHAR<br />
|style="text-align:left;" | always NULL<br />
|-<br />
|ZEXTERNALREPRESENTATION<br />
|BLOB<br />
|style="text-align:left;" | always NULL<br />
|}<br />
<br />
===ZNOTECHANGE===<br />
The purpose of this table is unknown. It is probably related to changes and synchronization.<br />
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!field name<br />
!type<br />
!value / description<br />
|-<br />
|Z_PK<br />
|INTEGER PRIMARY KEY<br />
|style="text-align:left;" | primary key<br />
|-<br />
|Z_ENT<br />
|INTEGER<br />
|style="text-align:left;" | always 5 (table identifier)<br />
|-<br />
|ZCHANGETYPE<br />
|INTEGER<br />
|style="text-align:left;" | unknown (?), values of 0,1,2 exist<br />
|-<br />
|ZSTORE<br />
|INTEGER<br />
|style="text-align:left;" | always 1 (foreign key to ZSTORE)<br />
|-<br />
|ZNOTESERVERINTIDS<br />
|BLOB<br />
|style="text-align:left;" | big blob, content unknown (?)<br />
|-<br />
|ZNOTEINTEGERIDS<br />
|BLOB<br />
|style="text-align:left;" | big blob, content unknown (?)<br />
|-<br />
|ZNOTESERVERIDS<br />
|BLOB<br />
|style="text-align:left;" | big blob, content unknown (?)<br />
|}<br />
<br />
== Convert ==<br />
<br />
A script for converting a notes.sqlite file into a usable series of text files:<br />
<br />
<pre><br />
#!/bin/bash<br />
set -e<br />
<br />
function adjust() {<br />
date -j -f '%Y-%m-%d %H:%M:%S' "$1" +'%m/%d/%Y %H:%M:%S'<br />
}<br />
<br />
rm -rf notes.d<br />
mkdir -p notes.d<br />
<br />
sqlite3 notes.sqlite 'select<br />
z_pk as id,<br />
datetime(zcreationdate + 978307200, "unixepoch", "localtime") as created,<br />
datetime(zmodificationdate + 978307200, "unixepoch", "localtime") as modified,<br />
ztitle as title from znote<br />
' | while IFS='|' read -r id created modified title; do<br />
file=notes.d/"$id".html<br />
sqlite3 notes.sqlite 'select zcontent from znotebody where zowner = '"$id" >"$file"<br />
SetFile -d "$(adjust "$created")" -m "$(adjust "$modified")" "$file"<br />
title=${title//[\/:.]/_}<br />
mv "$file" notes.d/"$id - ${title:0:$((260-${#file}))}".html<br />
done<br />
</pre><br />
<br />
== Parents ==<br />
{{parent|Applications}}<br />
<br />
[[Category:Filesystem]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=User:Britta&diff=50131User:Britta2016-01-07T07:19:00Z<p>Britta: adding {{Template:CCbox}} to state that I license all my past contributions as CC BY-SA</p>
<hr />
<div>{{Template:CCbox}}<br />
<br />
I'm [https://twitter.com/brittagus @brittagus], and I worked for SaurikIT from March 2011 to September 2015, on projects including supporting this wiki.<br />
<br />
Some articles that I've contributed to and try to maintain as reasonably accurate: [[Bricked]], [[JailbreakCon]], [[Cydia Errors]], [[Scam Jailbreaks and Unlocks]], [[Open Source Jailbreaking Tools]], [[Up to Speed]], [[Misuse of enterprise and developer certificates]], [[Tethered jailbreak]], [[GID Key]], [[Hacking Team]], [[Malware for iOS]].</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal&diff=50130The iPhone Wiki:Community portal2016-01-07T07:17:12Z<p>Britta: /* License for contributions */ thanks Dialexio!</p>
<hr />
<div>{{Talk Archive}}<br />
{{see also|Unsolved problems}}<br />
<br />
==iPhone-Elite==<br />
I think we should include all this old stuff before it gets lost: [http://code.google.com/p/iphone-elite/ code.google.com/p/iphone-elite/]. I mean the wiki articles there. Most infos should be already here, but I'm sure a lot of things are missing too.<br />
--[[User:Http|http]] 15:02, 26 June 2012 (MDT)<br />
<br />
==Boot-args cleanup==<br />
We need to clean up the boot-args pages. First the technical part: What I understand is that iBoot loads the kernel. And when loading it, it can pass some parameters to select certain behavior. So this only works with an iBoot or bootrom exploit. I understand that in earlier firmware versions there was simply an iBoot variable, but that doesn't exist or work anymore, now passing theses args requires a different or patched iBoot. There are various parameters in different kernel versions. The description for these arguments is scattered over various places:<br />
*[[Kernel#Boot-Args]] A section with the latest boot arguments list. This should be a short introduction and having a link "main article".<br />
*[[Boot-args (iBoot variable)]] separate page for boot arguments, but mainly for the iBoot variable that doesn't exist any longer<br />
*[{{FULLURL:Boot arguments|redirect=no}} Boot arguments] (redirect)<br />
*[[:Talk:Restore_Mode]] describing the iBoot variable problem<br />
*Various pages referencing boot-args, like [[Research: Re-allowing unsigned ramdisks and boot-args with the 2.* iBoot]] (here we should have a link on the second title)<br />
*My earlier comment [[:Talk:Kernel#boot-args]]<br />
*This comment here.<br />
So what do we want to do about this mess? I suggest to move the current [[Kernel]] content to the redirect page [[Boot arguments]] (or to another new page, maybe [[boot-args]]). The current content of [[Boot-args (iBoot variable)]] and all other content should get merged into there. Then change all references to this new page and on the [[Kernel]] page write just something short with "main article there". What do you think? --[[User:Http|http]] ([[User talk:Http|talk]]) 21:31, 13 February 2013 (UTC)<br />
:I like [[Boot Arguments]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 02:01, 14 February 2013 (UTC)<br />
::One addition: Maybe we should use [[boot-args]] as the main page, because all links are written like that. --[[User:Http|http]] ([[User talk:Http|talk]]) 07:37, 14 February 2013 (UTC)<br />
<br />
==Orphaned articles==<br />
This is an interesting search: [[Special:LonelyPages]] - "The following pages are not linked from or transcluded into other pages in The iPhone Wiki." I'm not sure where all of those articles should be linked, but figuring that out could be a useful project for somebody. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 05:57, 28 August 2013 (UTC)<br />
<br />
==Easy tasks for new editors==<br />
* Finish converting the remaining error codes listed here [[MobileDevice_Library#Known_Error_Codes]] into the proper mach_return_t codes they should be displayed as. (convert the negative number listed into hex, strip any leading "FF" so it should be in the format "0xe80000" followed by two numbers) --[[User:Dirkg|Dirkg]] ([[User talk:Dirkg|talk]]) 22:40, 28 August 2013 (UTC)<br />
<br />
==Login prompt revision suggestion==<br />
I wrote a suggestion here: [[MediaWiki talk:Loginprompt]] (since I don't have permission to edit [[MediaWiki:Loginprompt]] directly) - I'd be interested in whether it sounds like a good idea to other people. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 01:00, 8 October 2013 (UTC)<br />
<br />
==Homepage suggestions==<br />
Under "Application Development", what about linking to [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki]? It's also a community-edited technical resource, and it links to this wiki. It could be helpful to add a little more detail to "Get [[up to speed]] in the community.", like this: "Get [[up to speed]] in the community - learn about how jailbreaks work." Under "Definitions", it could be helpful to list all the firmware tags in one line or sub-list, similar to how Jailbreak is organized next to Tethered jailbreak and Untethered jailbreak, both to save space and help readers understand the list. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 23:01, 20 October 2013 (UTC)<br />
:A link to the iPhoneDevWiki sounds good. I wonder if we should have an "External Links" or "Other Resources" section to include links to other sites (such as the [http://blog.iphone-dev.org/ iPhone Dev Team blog]) though. As for the "Up to Speed" page, I feel like the entire page could be reworked a bit— and perhaps even receive a new, clearer name ([[Introduction]]? [[Preface]]? Or something else?)— the current name makes it sound like it's for people that last paid attention to jailbreaking when the App Store didn't exist. And yeah, moving the IMG3 tags to a sub-list sounds like a really good idea. (Admittedly, I actually don't care for its inclusion in the first place, but that's just a personal preference.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:10, 21 October 2013 (UTC)<br />
::There's already [[Useful Links]] with some links to other core community resources (which could be updated and rearranged) - I was just thinking that it'd be especially useful to link to iPhoneDevWiki prominently since it's likely for TheiPhoneWiki visitors to also be interested in relatively-organized technical information about development. Changing the name of "Up to Speed" sounds fine to me too - that page didn't get much attention since 2008 until I sort of commandeered it to serve as an "intro to jailbreaking" page. :) It could be renamed "getting started", as in "how to get started on learning about research into iOS devices, especially security research (such as jailbreaks)". [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:31, 21 October 2013 (UTC)<br />
Also I'd love to see a dedicated section for "Good tasks for new editors", where we could maintain a list of relatively easy/straightforward suggested edits that wouldn't require vast technical knowledge, like updating that links page. Where would that go? Add it as a sub-section of [[The iPhone Wiki:Current events]] and link that section from the homepage or something? Or make a new page? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:40, 21 October 2013 (UTC)<br />
<br />
==What is 0x5265c384 in the boot process?==<br />
Does anybody know where <code>0x5265c384</code> points to in the boot process? I haven't been able to find anything on it. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 20:14, 23 October 2013 (UTC)<br />
<br />
==License for contributions==<br />
This wiki has never had an official license for contributions. Now, IANAL, but IIRC, this means that you can't use ''anything'' posted here unless it qualifies as fair-use. What I propose is that we set a license and add a notice that states that any contributions after a set date are to be licensed under that license (that's kindof a mouthful). I think we should use the [http://creativecommons.org/licenses/by-sa/3.0/ CC-by-SA 3.0] as [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|Wikipedia uses it]], but that's just me. Any ideas? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 19:53, 9 November 2013 (UTC)<br />
:Well, the edit info already says all this:<br />
Please note that all contributions to The iPhone Wiki may be edited, altered, or<br />
removed by other contributors. If you do not want your writing to be edited mercilessly,<br />
then do not submit it here.<br />
You are also promising us that you wrote this yourself, or copied it from a public<br />
domain or similar free resource (see The [[:The iPhone Wiki:Copyrights|iPhone Wiki:Copyrights]] for details). '''Do not'''<br />
'''submit copyrighted work without permission!'''<br />
For me, that's enough. I don't need a 50 page license. But if you want to formalize this more, go ahead. --[[User:Http|http]] ([[User talk:Http|talk]]) 20:35, 9 November 2013 (UTC)<br />
:Sounds good. It's good practice to have an official license, just in case any disputes happen someday, and to ensure that it's OK to copy text over to Wikipedia (for example). [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:32, 9 November 2013 (UTC)<br />
Sorry to revive a dead topic, but this came to my attention again after seeing the message on [[F.C.E. 365 Firmware Manager]], and I noticed we hadn't really taken action regarding this. I take it everybody is in unanimous agreement in noting that the wiki's content will be covered under the CC BY-SA 3.0 Unported license, but [http://creativecommons.org/licenses/by-sa/4.0/ a newer version] has since been released— should we use this instead? (Creative Commons published a [https://creativecommons.org/version4 human-readable list of changes].) I'm fine with either one. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:12, 24 December 2015 (UTC)<br />
<br />
:We'd definitely have to do the "any contributions after a set date have the new license" method, since it's not really legitimate to re-license other people's work without their clear permission. I'd be in favor of putting that in sooner rather than later. Individual people could also put a note on their user pages saying that they license all of their past contributions under the new license. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 25 December 2015 (UTC)<br />
::Yeah, that makes sense. As for when we should instate the CC BY-SA 4.0 (or 3.0?) license for future contributions, maybe we can make the change when we ring in 2016...? (I'd say this weekend, but people might be gone for the holidays.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 19:28, 25 December 2015 (UTC)<br />
----<br />
Okay, so I drafted something to put in [[The iPhone Wiki:About]].<br />
<blockquote>All contributions to The iPhone Wiki posted on or after 12:00 AM on DATE (UTC) are provided under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International License]. This does not apply to contributions made prior to DATE (UTC), which are provided under a license selected by their contributors (with the understanding that contributions may be revised at any time). If a section is modified, the original author's license supersedes the aforementioned CC BY-SA 4.0 licensing.</blockquote><br />
But as I wrote that, a hypothetical scenario came to mind. Let's say UserOne creates a new page, UserTwo adds a section to this page, and UserThree edits a sentence in that section. Whose license would apply to the content— the page creator's? If they do not agree to distribute their contributions under the same license, would it be three cascading licenses? How should we address a hypothetical situation like this? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 05:56, 1 January 2016 (UTC)<br />
<br />
:I'd suggest simplifying ''"This does not apply to contributions made prior to DATE (UTC), which are provided under a license selected by their contributors (with the understanding that contributions may be revised at any time). If a section is modified, the original author's license supersedes the aforementioned CC BY-SA 4.0 licensing."'' to just ''"This license does not apply to contributions made prior to DATE (UTC)."'' and adding ''"If you would like to explicitly license some or all of your contributions before this date as CC-BY-SA 4.0 (instead of those contributions staying the default of copyrighted by you with all rights reserved), please add a note to your userpage to indicate this."''<br />
<br />
:The copyright status of works created by people mixing together their own copyrighted-by-default efforts, or mixing CC-BY-SA work with copyrighted work, is...complicated and unclear, so it's probably better to not try to explain it. There's the relevant concept of a [http://copyright.universityofcalifornia.edu/ownership/joint-works.html "joint work", where "authors own the work jointly and equally"] ([http://fairuse.stanford.edu/overview/faqs/copyright-ownership/#who_owns_the_copyright_in_a_joint_work another definition]). <br />
<br />
:It'd be helpful for a brief version of this information to go in the note at the bottom of editing pages (where it says "Please note that all contributions to The iPhone Wiki may be edited, altered, or removed by other contributors." and so on). Ideally the homepage would also get a note about this for a month or so, maybe a link to the about page. :) Thanks for working on this! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 06:58, 1 January 2016 (UTC)<br />
<br />
::Changes are looking good, thanks again to Dialexio for taking this on! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 07:16, 7 January 2016 (UTC)<br />
<br />
==Banner Replacement?==<br />
I kinda feel like the banner on the front page is getting a little stale, so I'm interested in seeing it replaced. I tossed a proposal [https://twitter.com/Draxelf/status/408295008794845184 on Twitter] a couple of days ago (which is admittedly plain, but Myriad Set…), but I haven't heard any opinions on replacing the banner. Are there any thoughts on this matter? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 December 2013 (UTC)<br />
:Or, [http://imgur.com/wJFqPl1 this]. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:22, 6 December 2013 (UTC)<br />
:Looks nice in Myriad! More professional. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 04:01, 7 December 2013 (UTC)<br />
<br />
==Date Format==<br />
I see that [[User:IAdam1n|iAdam1n]] started to unify the date formats in this wiki. While I like this to be consistent, actually we should've talked about what format to use before changing it. I like the d_mon_yyyy format though. I also saw that he removed the <code>&amp;nbsp;</code> between the date parts on the [[iFaith]] page that I added once purposefully. The reason was that when making the browser window small (or on the iPhone) that the date wraps to two lines, which is almost always undesired. The question is if we should do that everywhere too? Additionally, as we now seem to have a "standard" here, we should document it, so that new users know what format to use. -- [[User:Http|http]] ([[User talk:Http|talk]]) 17:42, 30 December 2013 (UTC)<br />
:I just made it consistent. If you want the <code>&amp;nbsp;</code> back, feel free to add it. I removed it as it did nothing (previewing on OS X). We should use the format I used throughout the wiki and not Dec 23, 2013 etc. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:32, 30 December 2013 (UTC)<br />
::<code>&amp;nbsp;</code> stands for "'''n'''on-'''b'''reaking '''sp'''ace". It is essentially a space, but with a property that prevents word wrap from occurring between the two words it's between. Look at [[Firmware Keys]] on a small enough screen (1024 across should do it). Your browser should preserve the space between the date "words". Now, go into the edit page and remove the <code>&amp;nbsp;</code> from everything in one table. Your browser will now word wrap the date "words". --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:What I actually want to do is use <code>{{[[Template:Start date|start date]]}}</code> instead of plain dates in areas where dates are used as a statistic; for example, [[Firmware]], [[Firmware Keys]], [[SHSH]], [[Timeline]], etc. Places where dates are used to record when something happened, for example on [[evasi0n7]], "On 28 December 2013...", should use the date flat out in the source. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
<br />
== Template documentation ==<br />
Whenever using templates that are copied here from Wikipedia, I almost always forget the parameters of the template. I then have to open Wikipedia and search for the template. What I want to do it copy the template documentation from Wikipedia here. To work around the licensing issue, we can create our own template that you would include at the bottom of the copied documentation that says the documentation comes from Wikipedia (because Wikipedia uses [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|CC-BY-SA 3.0]] which says our copied text must be under CC-BY-SA 3.0 ''and'' attribute Wikipedia and her editors. I can write the text for license template. Any ideas? Any opposition? If not, I'll begin in a few days. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:I don't see why not. That's what I've seen done on other wikis. — '''[[User:Spydar007|<span style="color:#ff5a00;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:orange;">(Talk)</span>]]''' 16:56, 18 January 2014 (UTC)<br />
<br />
== Category Security Researchers==<br />
Hi all! i've created the category Security Researchers in order to cut down on the pages categorized as hackers as it apparently needs to be more exclusive. i've been adding the less known or inactive hackers from the hacker page but have not removed them from the hackers page. I feel that it should be a vote on who gets removed from the hackers page so my first suggestion is [[User:Fallensn0w]] as he has been inactive for a very long time and didn't do a lot in the first place. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 15:57, 22 February 2014 (UTC)<br />
<br />
== Email notifications? ==<br />
Is it possible to get emailed when a watchlist page changes? I'd love that feature. [[wikipedia:mw:Manual:Configuration settings#Email notification (Enotif) settings|This looks relevant]]. --[[User:Beej|beej]] ([[User talk:Beej|talk]]) 08:02, 27 June 2014 (UTC)<br />
<br />
== Ambiguous names ==<br />
I feel like the names for [[Symlinks]] and [[Symbolic Link Vulnerability]] is a bit too ambiguous. Now, I don't anticipate there being much confusion, particularly since nobody really cares about 1.x anymore, but I would like to make the distinction clearer. I think both articles should be renamed, but I have no idea on what to rename them to (or even if you guys approve). I thought of using the CVE ID, but Apple doesn't provide one for [[Symlinks]] (or even any indication that they fixed it). ([[Symbolic Link Vulnerability]] was assigned CVE-2013-5133.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:51, 2 July 2014 (UTC)<br />
:They are referred to as the Symbolic Link by people like MuscleNerd and iH8sn0w so, in my opinion, they should be kept as their current names. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 18:06, 2 July 2014 (UTC)<br />
::I don't mind if one of them keeps their current name, but there should be something to make the distinction clearer. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 01:13, 3 July 2014 (UTC)<br />
<br />
== IRC Channel on Freenode ==<br />
Howdy iphonewiki folks, I have #theiphonewiki registered on freenode, and am ready to have people come in (it's been ages since this idea has been brought up). Shall we open it? I'd like to get some ops in there to help out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 05:48, 6 July 2014 (UTC)<br />
<br /><br />
I think we should make an IRC channel for this wiki. It can be either #theiphonewiki or #iphonewiki on freenode. The channel would be used for discussions, such as the TLC of the Jailbreak page for example. It would make getting things sorted a lot easier, since we could just ping each other different ideas. I know this idea was made before, but the channel never really got anywhere. What do you guys think of this idea? We would need to decide who has founder, op and voice etc. on the channel here. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 06:58, 6 July 2014 (UTC)<br />
: This is idiotic. You just want to do it yourself cause you want power. We won't help you feed your ego. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
:: You have never edited on this wiki in your life before so STFU. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:48, 7 July 2014 (UTC)<br />
: Being that I own #theiphonewiki, the original channel in which the wiki's channel was going to be on, I have control over who's moderating the channel. One op will be me, I have 3+ years of IRC moderation experience (To be honest, Is this even CV worthy? :P) we can choose the other operators when the channel becomes somewhat popular. ps. Why make two topics for this? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:03, 6 July 2014 (UTC)<br />
:: That most definitely is CV worthy. I've seen Spydar007 moderate a channel, it crashed in a week or so. Not to mention the channel wasn't even his, and he kinda took it over anyway. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
::No, no, no. The community decides. Juts because Farahtwiggy asked you to register it before, doesn't mean you get to be an op there now. This was my idea (Dialexio can vouch). You have no control over who are ops there. {{unsigned|Spydar007|04:11, July 6, 2014 (UTC)}}<br />
::: One "no" is enough. Farah, really, doesn't have much (if anything) to do with this, the channel was registered a year ago. Your childish response above does not show me that you can handle owning the channel, nor do the rumors of you abusing channel control in your personal channel. It's really not your idea, it may have just now come to your mind, but adaminsull and I have gone through this whole deal before (one year ago). Join me on #theiphonewiki if you'd like to chat this out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:22, 6 July 2014 (UTC)<br />
::::I don't know what's happening off of the wiki so I might only have part of the picture. I definitely don't see Haifisch as trying to steal credit for this idea, which actually was brought up about ages ago. I'm not much of an IRC guy, so my opinion might not have that much weight for a lot of this discussion, but I feel that the channel would be better in Haifisch's hands given his experience. Ownership/management/whatever for the IRC channel should certainly be open for discussion though. I really don't care too much about whoever gets to run it, as long as the person is someone that the community knows, respects, and trusts. (Same goes for the channel ops.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 July 2014 (UTC)<br />
:It does not sound like a good idea to have an IRC channel for this wiki. It is useful for discussion of this wiki's articles to continue to be be done publicly on the wiki (on the appropriate talk pages), so that everyone interested in the wiki can easily contribute to the discussion, and so that there is a well-organized public record of discussions that we can all easily refer to. IRC channels are also very fertile breeding grounds for social conflicts and unhappiness (as we've seen already), which is helpful to skip. In any case, this should be discussed at [[The iPhone Wiki:Community portal]] instead of here - this page is for discussing modifications to the Main Page, and that one is for general discussions about TheiPhoneWiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:46, 7 July 2014 (UTC)<br />
<br />
== Moving to Canada ==<br />
I'm moving this server in the next few days to a quality server in Canada. It'll be running inside a VM, so I'll also look into giving admins more access. Hopefully the periodic outages will stop. Maybe I'll add some SSL certs. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]])<br />
:Nice, thanks! HTTPS would be great. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:08, 14 August 2014 (UTC)<br />
::So we're not in canada yet?--[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 20:32, 30 August 2014 (UTC)<br />
You should all be in Canada now, with 8&nbsp;GiB of Canadian RAM. We also have [https://theiphonewiki.com/wiki/Main_Page HTTPS], but it avoids the [[wikipedia:Squid (software)|Squid proxy]]. It's fine for people making edits but I don't plan on changing the default anytime soon. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]]) 04:43, 2 September 2014 (UTC)<br />
:Yay! Thanks as always George! Any plans on adding back SSH? There's a few things I'd love to have done. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 21:40, 2 September 2014 (UTC)<br />
::Thanks [[User:Geohot|geohot]]! Hopefully now there will be less downtime ;p --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 07:41, 3 September 2014 (UTC)<br />
:Sweeeeeeeet. :D --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 15:16, 3 September 2014 (UTC)<br />
<br />
==iPhone serial cable==<br />
Could somebody document how to use uart cable (i.e. setup, bitrate, ...) ? Some intructions are available at [http://www.instructables.com/id/Apple-iOS-SerialUSB-Cable-for-Kernel-Debugging/ instructables]. Can two iPhones' serial inputs be connected to each other (i.e. TX of 1st iPhone to RX of 2nd and RX of first to TX of second) and minicom used on one of them to connect to /dev/uart.iap such that no USB to 3.3V TTL (FT232RL in the link) would be needed provided that you already have multiple iDevices with dock connector {{unsigned|Danzatt|10:57, 15 September, 2014}}<br />
<br />
Bringing this topic back up, I've developed an open source package for iPhone (30pin) serial that doesn't used the PodBreakout that has been discontinued for a while now. Would it be alright to document how to setup/use the boards here? I'm just unsure if this is the appropriate place for it. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 03:45, 2 May 2015 (UTC)<br />
<br />
:[[User:Haifisch]], that sounds fine to me - it's iPhone-related, which is the the theme of this wiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:53, 14 May 2015 (UTC)<br />
<br />
== Original iPad mini name ==<br />
Seeing as we use (at least mostly) "iPhone" instead of "iPhone 2G" and "iPod touch" instead of "iPod touch 1G", I feel we should change how we reference the original iPad mini. The reason for adding the "1G" was because of the name conflict between pages. But we could probably fix that by moving [[iPad mini 1G]] to, say, [[iPad mini (first generation)]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 03:04, 17 October 2014 (UTC)<br />
:Sounds good to me. "iPad mini (1st generation)" is fine, but for the sake of length I would go with either "iPad mini" or "iPad mini 1." --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:27, 17 October 2014 (UTC)<br />
::Agreed. "iPad mini" would follow the other 1st generation devices page. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 04:56, 17 October 2014 (UTC)<br />
:::I also think this is a good idea because of how Apple is listing it like that too. I would say use "iPad mini". Another thought I did have is that it might confuse people with [[iPad mini]] and making them think that it is the page to list all the mini's. To correct this, I would suggest [[iPad mini (1st Generation)]] and roll that out across iPod touch, iPad and iPhone too. Just thought I'd put that out there to see what others think. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:14, 19 October 2014 (UTC)<br />
::::I feel "iPad mini (1st Generation)" is too long. "iPad mini" is fine IMO. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:30, 20 October 2014 (UTC)<br />
:::::Except that "[[iPad mini]]" already exists. It's the overview page for the iPad mini, just as [[iPad]] is for iPads, [[iPhone]] for iPhones, and [[iPod touch]] for iPod touches. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:06, 20 October 2014 (UTC)<br />
::::::If we do this, I suggest doing it for iPad, iPhone and iPod touch too. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 20:43, 20 October 2014 (UTC)<br />
:::::::I disagree. I like the usage of "iPod touch 2G", "iPod touch 3G", etc. Sure, drop the "1G" from the original iPad and iPod touch (and "2G" from the original iPhone), but don't change anything else. Unless we can come up with something other than "[[iPad mini (1st generation)]]", we should use that though. However, I don't like that title as it would look inconsistent with other devices. Wikipedia uses the parentheses to separate pages that would have the same name, but are about different topics. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 22:06, 20 October 2014 (UTC)<br />
::::::::The only problem is that we can't use [[iPad mini]] for it's current purpose and the first generation. I would also suggest anything that is changed would be consistent throughout all of the devices. That is why I liked the [[iPad mini (1st generation)]] idea but then again, would not be good if it is not like that for all devices. I like [[iPad mini (1st generation)]] because it is how Wikipedia lists it and to be honest, it avoids confusion. There is one other idea I can think of but not sure I even like it that much, [[iPad mini (original)]]. This again should be for iPad, iPod touch and iPhone if we do this. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:35, 20 October 2014 (UTC)<br />
<br />
== Mobile Stylesheet == <!-- Don't move this to archive as can be used for anyone to add suggestions for changes on mobile. --><br />
I was thinking recently, if [[User:Geohot|geohot]] agrees to accept it, that I could make a mobile.css file in order to attempt to make a few changes to the site on mobile. This would make it so that it would not be so ugly and if possible, the text might be easier to read. What would everyone think about this? For one thing, I'd like to mobile the "Log out" off the black part of the screen and put it near the "Contributions" button or thereabout. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:37, 7 January 2015 (UTC)<br />
:Instead of a mobile stylesheet to hack up the skin more (like the <code>ios6</code> and <code>ios7</code> skins do), I would create a whole new skin. I could write the PHP and JavaScript, and you can write the CSS. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 17:04, 7 January 2015 (UTC)<br />
::If you mean a skin just for mobile, that would be ok but not sure how you could make it selectable with a mobile device but not on desktop. If you could do this, it could work but personally I think a mobile.css would be easier since it has to be previewed in the iOS simulator (that's the way I do it). I couldn't say I'd edit a page without being an admin (unless it's made that I could). --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 17:35, 7 January 2015 (UTC)<br />
::I was going to mention that MediaWiki includes a sorta-mobile theme called Chick, but it seems that's [https://gerrit.wikimedia.org/r/#/q/Ia6d73c2deb9428d2,n,z long gone]. MW's changed a lot since I used it, but the way it worked was it subclassed MonoBook (so there was no need to duplicate the HTML template) and swapped its CSS for its own ([https://upload.wikimedia.org/wikipedia/mediawiki/f/f6/Dantman-Skin-chick.png screenshot]).<br>Come to think of it, whoa, I even wrote my own skin called [https://github.com/kirb/iWiki iWiki]. Was never updated for MW 1.17, which made breaking changes to the skin API. I probably won't have the time to update it, but maybe someone else could? [[User:Thekirbylover|kirb]] ([[User talk:Thekirbylover|talk]]) 09:01, 8 January 2015 (UTC)<br />
:I think this is a great idea, since this is actually a wiki about mobiles. No idea why it hasn't been done already. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 15:17, 8 January 2015 (UTC)<br />
::| There is a mobile pluggin for Media Wiki that will make it look very nice [[User:Mwoolweaver|MWoolweaver]] ([[User talk:Mwoolweaver|talk]]) 07:22, 1 February 2015 (UTC)<br />
:::I completed this a while ago but forgot to comment about it. If anyone has any improvement requests, feel free to list them and I'll take a look. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Apple Watch ==<br />
I've added the [[Apple Watch]] using that page to most devices. I was thinking this morning that it should be moved to [[Apple Watch 1]] an have [[Apple Watch]] as a page like [[iPhone]] etc but then thought that I'd wait to see if there is a second generation some time and if there is, move it then. What does everyone think? I don't mind either way but wanted others opinions. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Bite-sized editing tasks ==<br />
<br />
It seems fun to make a list of relatively easy useful edits that new editors can do who are interested in helping, maybe at [[The iPhone Wiki:Bite-sized editing tasks]] or a similar page, and link it from the homepage here. I'd include the following as a start:<br />
<br />
* Look at the list at [[Special:LonelyPages]] and figure out whether some of those pages should be linked within other pages on the wiki, and then go link them.<br />
* Check the links at [[Useful Links]] and remove broken/outdated sites and add relevant new sites (but don't spam your own stuff).<br />
* The iOS version table at [[SHSH]] should be listed in reverse-chronological order, with newest versions first instead of oldest versions first.<br />
* If you run into a scam site, add it to the table at [[Scam Jailbreaks and Unlocks]].<br />
* If you're reading an article and some part of it is confusing to you, post a message on the "talk" page (click the "Discussion" tab at the top of the article) explaining your question or what you found confusing, so that other editors can use this as a suggestion for improving the article.<br />
<br />
Ideas? Opinions? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:31, 14 May 2015 (UTC)<br />
<br />
== How to report problems ==<br />
<br />
I saw people concerned on Twitter about the skin! Like iAdam1n said on Twitter, saurik just got a copy of the settings, images, and database from geohot and put them into a new site with an upgraded version of MediaWiki; he's asking geohot for a copy of the skin files. In general if you see problems or have requests for new extensions or other changes, it's totally fine to post them here and I'll see them and ask saurik to check it out. If something is more immediate and doesn't need discussion (like something missing, major errors, mysterious downtime, etc.), you can PM me or saurik on IRC (his IRC server is best, irc.saurik.com). Maybe good to post here too in those cases (if the site isn't down at the time) so other people know he's been alerted. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 18:44, 14 May 2015 (UTC)<br />
<br />
More about how to report more immediate problems (or problems that require some level of privacy, such as a major security issue or "Britta has gone rogue") - if you don't use IRC, emailing me is also fine (britta@saurikit.com). Emailing saurik (saurik@saurik.com) won't be seen as quickly, but if you write a meaningful subject line (like "TheiPhoneWiki is giving error 403 upon login right now" or "Britta is putting glitter sparkle GIFs all over TheiPhoneWiki"), it'll likely be seen. Moving to a new server/admin can have some adjustment bumps but they can be fixed! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 15 May 2015 (UTC)<br />
<br />
== SSL Problems ==<br />
<br />
Maybe SSL is not fully/officially supported (yet), but there are a few issues that should get fixed:<br />
*SSL3 is enabled and must be turned off (POODLE attack)<br />
*weak signature: make sure to get SHA2 when you renew certificate (current one expires 4 Sept 2015)<br />
*RC4 cipher is accepted, please disable<br />
*PFS not always preferred cipher, for example when using IE10 on Win7<br />
Thanks!<br />
--[[User:Http|http]] ([[User talk:Http|talk]]) 20:27, 14 May 2015 (UTC)<br />
<br />
:OK, saurik worked on this and it should be fine now other than that the current certificate from geohot is SHA1. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 08:54, 15 May 2015 (UTC)<br />
<br />
::Excellent, thanks! If you want to improve even further, consider HSTS and maybe HPKP too. But I'm happy already now. --[[User:Http|http]] ([[User talk:Http|talk]]) 12:17, 15 May 2015 (UTC)<br />
<br />
== Apple internal content on the Wiki ==<br />
<br />
I want to know what people think about having internal content on the Wiki. Some of the current content definitely needs some cleaning up and general editing. Should we publish information about internal firmwares? And is it okay to upload pictures of prototypes? Feel free to ask more questions. --[[User:Srb21103|Srb21103]] ([[User talk:Srb21103|talk]]) 05:08, 18 May 2015 (UTC)<br />
<br />
:Looking through [[The iPhone Wiki:Ground rules]], it says "No posting of copyrighted material. Anything that could legally get us in trouble should not be posted, ever." I'm not sure what other precedent here has been. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 10:31, 18 May 2015 (UTC)<br />
<br />
== JailbreakCon mini-talks ==<br />
<br />
Hi wiki people! I'm working on gathering people to do mini-talks (5-10 minutes) for [[JailbreakCon]] in June in San Francisco, and it would be cool to have some more people speaking who contribute to the community in ways other than tweak development. Work other than development is important work too, such as documentation. If anyone who has put some effort into improving TheiPhoneWiki can attend and would like to give a mini talk about working on the wiki, let me know via [http://www.jailbreakcon.com/#contact the contact form on the site]. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:35, 26 May 2015 (UTC)<br />
<br />
== [[File System Crypto]] ==<br />
<br />
I just added Zdziarski's blog to the wiki (with his permission). I would recommend to take this apart and make multiple sub-articles, like an article for [[BAGI]], another one for [[Dkey]], etc. and on the page [[File System Crypto]] itself, just write the overview, similar to what we have on page 16 of the Sogeti document (wasn't there a newer graphic somewhere?) with some short description. --[[User:Http|http]] ([[User talk:Http|talk]]) 22:11, 9 June 2015 (UTC)<br />
<br />
== Video links about internal [[Factory Firmware]] ==<br />
It is okay and safe from troubles to put YouTube video links about internal [[Factory Firmware]] in the dedicated page, to see how those changed through iOS versions ? Those videos are https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5). --[[User:ShadowLee19|ShadowLee19]] ([[User talk:ShadowLee19|talk]]) 09:22, July 12, 2015}}<br />
<br />
: I don't see a problem, as I've talked to [[User:EverythingApplesPro|EverythingApplesPro]] and confirmed that the prototypes were obtained legally. However, you should probably email him and ask him, since those are his videos. Also, someone else might have a different opinion, so please don't rely on my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 4:42 pm, 12 July 2015, Sunday (9 days ago) (UTC−4) <br />
<br />
:: I will ask [[User:EverythingApplesPro|EverythingApplesPro]] before add his videos links. I'm still confused about "legally obtained". The two first videos, https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5) are made and uploaded by me, but devices used aren't prototypes, internal or factory devices. They are production ones which I've restored an internal [[Factory Firmware]] using Limera1n BootROM exploit. Devices are of course legally obtained, but it's hard to say for internal factory firmware bundles, because I got them from someone, who got them from someone, who got them from someone and so. I don't know how they have been leaked, in a legal way or not. I doubt about how all those prototypes, factory devices or internal software could be "legally obtained", unless on is packed by accident in a legally bought box in an Apple store or any other retail store. That's the main reason why I'm asking this question before put YouTube video links about internal devices and software. It is even okay and safe from troubles to upload videos on YouTube about those internal devices and software ? I would like to be 100% sure, I don't want me and or TheiPhoneWiki to get in trouble for that. --ShadowLee19<br />
<br />
::: There really isn't a legal way to obtain prototypes without being an Apple Employee with very very specific permissions to have it. I would bet money that his devices he has are just like production devices but they have not been restored to a production firmware, instead they have been restored with the factory unit testing firmware (e.g., NonUI, and whatnot) and were never flashed to stock before leaving the factory. I would be '''very''' surprised if any real prototypes got out after the Gizmodo leak, they have since improved on locking down those devices internally. Just because the serial number isn't a production serial doesn't mean it's a prototype, serials are very easy to change by modifying the SysCfg. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 7:18 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:: I'm sorry, this is another case where I skim over links and think they are all the same. I've verified an iPhone 6 that was from Verizon. I must have thought they were all on te same iPhone 6. I agree with both Haifisch and Britta. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 7:33 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:It seems fine to me to link to them, since they're publicly available on the web; no permission required for that sort of thing. Most pages have an "External links" section at the bottom, which is nice for adding links to off-wiki resources. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 5:15 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
== Using "Beta" instead of "b" for Beta Firmwares ==<br />
I've been thinking for some time that we should really be using "Beta" instead of just "b" in beta firmwares. An example would be change "9.1b3" to "9.1 Beta 3". This is how Wikipedia does it and I much rather this because it is clearer IMO. What does everyone else think? Although this would be a lot of work converting all the entries, I'm willing to do it if nobody objects. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 19:46, 3 October 2015 (UTC)<br />
:I said this on Twitter, but I don't really care if this change is made. Personally, I prefer the "b," but using "Beta" would look fine. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
::If nobody disagrees, I'll start on Wednesday, 7th October. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:28, 4 October 2015 (UTC)<br />
:I have no problem with this except for [[Beta Firmware]] and [[Firmware Keys]]. Changing those from "b" to "beta" would take up too much space. Also, I'd prefer "beta" be lowercased, but that's just me. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:06, 4 October 2015 (UTC)<br />
::I don't actually think it would take up too much space since it's only an extra 5 characters per iOS. "Beta" or "beta" doesn't matter really, I don't mind with or without a capital. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:15, 4 October 2015 (UTC)<br />
:::Yeah, nevermind. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:22, 4 October 2015 (UTC)<br />
::::As far as I can tell (this is actually hard to find where used without checking all pages but checked the most obvious), this is now complete. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:20, 22 October 2015 (UTC)<br />
<br />
== -AP idenifiers ==<br />
As we all know (hopefully), the wiki has used lowercase letters for the "-AP" device identifiers (e.g. n90ap, p101ap). I would like to rename all instances to use the proper case— that is, the first letter and "AP" are capitalized (e.g. N90bAP, P101AP, N72AP). Does everyone else approve of this? I recall discussing this a while back and the decision was to use/keep lowercase letters, but seeing something like "k93aap" looks weird when Apple uses "K93aAP" in most areas, save for firmware file names. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
:I've always wanted to use the correct naming like this proposal so I'd be more than happy for the change. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:23, 4 October 2015 (UTC)<br />
::This has now been completed. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:07, 16 October 2015 (UTC)<br />
<br />
== iOS 9.1 beta 4 build number? ==<br />
Apparently the build number for iOS 9.1 beta 4 on the wiki is 13B5136, but the number shown on my iPod touch 6G is 13B136. Can anyone else confirm this on their device before making any changes to the wiki?<br />
--[[User:Tp1194045441|Tp1194045441]]([[User talk:Tp1194045441|talk]]) 21:26, 6 October 2015 (UTC)<br />
:The 5 is just a false number to get people from beta 3 to beta 4 via OTA. You have the developer IPSW real version. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:57, 6 October 2015 (UTC)<br />
<br />
== The iPhone Wiki SEO ==<br />
I checked the page's SEO score and is pretty low. As I'm a webmaster and I work in Web design, I can help with SEO for this community, for FREE. I would like to hear the opinion of one of the admins. --[[User:GeoSn0w|GeoSn0w]]([[User talk:GeoSn0w|talk]]) 21:26, 10 October 2015 (UTC)<br />
:Out of curiosity, what do you feel could be changed? (I know nothing about SEO) --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:54, 17 October 2015 (UTC)<br />
<br />
== San Francisco banner ==<br />
I like the current, Myriad Set Pro-based banner. However, I started thinking that it'd probably be better to typeset "The iPhone Wiki" in San Francisco instead, since that's what Apple's using in iOS. I came up with two variations for font weight, and then with and without a period at the end. (It's not needed/warranted, but I thought it added a nice extra touch.) If this sounds good, which variation do you think looks best? [https://pbs.twimg.com/media/CRaQh9PVAAAvfRP.png:large [A<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9JEUcAECyzU.png:large [B<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9VTU8AA8Q6X.png:large [C<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9ehXIAE7AM2.png:large [D<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>] --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 16:04, 16 October 2015 (UTC)<br />
:I really like A. However, C is a runner up. It kinda depends on which part we are focusing on most. Are we focusing on iDevices, or a Wiki more? For that, I have no answer. Of course, that's just my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 02:38, 17 October 2015 (UTC)<br />
:Nice! However, for number B, the period's font weight is a bit too heavy. Was it bolded? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:53, 17 October 2015 (UTC)<br />
::I like this idea and would choose either A or B. I don't personally mind which of those are used. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 08:55, 17 October 2015 (UTC)<br />
::B's period actually uses the regular font weight (same as "iPhone"). I was thinking that it looked a little too heavy too… So I came up with [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>]. (Also, I know the mockups have varying font sizes. Don't read too much into that; I'll match the font size with the current banner when we decide on a variation.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 23:29, 17 October 2015 (UTC)<br />
<br />
== Changing [[Apple TV]], [[iPad]], [[iPad mini]], [[iPhone]] and [[iPod touch]] ==<br />
I'd like to propose that we changes these pages to [[List of Apple TVs]], [[List of iPads]], [[List of iPad minis]], [[List of iPhones]] and [[List of iPod touches]] as this would be better and more correct. This would also free up [[iPad mini]] for [[iPad mini 1G]] so we could be consistent and drop the "1G" as none of the other devices that use "1G" on this wiki. I'd be prepared to do it all so nobody woud have to do anything (unless you want to of course). I'll go ahead and start this on Thursday, 12th November if nobody has any objections. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:30, 9 November 2015 (UTC)<br />
:This is has been completed apart from talk topics and user pages in which the author should fix those. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:59, 14 November 2015 (UTC)</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal&diff=50066The iPhone Wiki:Community portal2016-01-01T06:58:16Z<p>Britta: /* License for contributions */ suggestions for making this happen - thanks!</p>
<hr />
<div>{{Talk Archive}}<br />
{{see also|Unsolved problems}}<br />
<br />
==iPhone-Elite==<br />
I think we should include all this old stuff before it gets lost: [http://code.google.com/p/iphone-elite/ code.google.com/p/iphone-elite/]. I mean the wiki articles there. Most infos should be already here, but I'm sure a lot of things are missing too.<br />
--[[User:Http|http]] 15:02, 26 June 2012 (MDT)<br />
<br />
==Boot-args cleanup==<br />
We need to clean up the boot-args pages. First the technical part: What I understand is that iBoot loads the kernel. And when loading it, it can pass some parameters to select certain behavior. So this only works with an iBoot or bootrom exploit. I understand that in earlier firmware versions there was simply an iBoot variable, but that doesn't exist or work anymore, now passing theses args requires a different or patched iBoot. There are various parameters in different kernel versions. The description for these arguments is scattered over various places:<br />
*[[Kernel#Boot-Args]] A section with the latest boot arguments list. This should be a short introduction and having a link "main article".<br />
*[[Boot-args (iBoot variable)]] separate page for boot arguments, but mainly for the iBoot variable that doesn't exist any longer<br />
*[{{FULLURL:Boot arguments|redirect=no}} Boot arguments] (redirect)<br />
*[[:Talk:Restore_Mode]] describing the iBoot variable problem<br />
*Various pages referencing boot-args, like [[Research: Re-allowing unsigned ramdisks and boot-args with the 2.* iBoot]] (here we should have a link on the second title)<br />
*My earlier comment [[:Talk:Kernel#boot-args]]<br />
*This comment here.<br />
So what do we want to do about this mess? I suggest to move the current [[Kernel]] content to the redirect page [[Boot arguments]] (or to another new page, maybe [[boot-args]]). The current content of [[Boot-args (iBoot variable)]] and all other content should get merged into there. Then change all references to this new page and on the [[Kernel]] page write just something short with "main article there". What do you think? --[[User:Http|http]] ([[User talk:Http|talk]]) 21:31, 13 February 2013 (UTC)<br />
:I like [[Boot Arguments]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 02:01, 14 February 2013 (UTC)<br />
::One addition: Maybe we should use [[boot-args]] as the main page, because all links are written like that. --[[User:Http|http]] ([[User talk:Http|talk]]) 07:37, 14 February 2013 (UTC)<br />
<br />
==Orphaned articles==<br />
This is an interesting search: [[Special:LonelyPages]] - "The following pages are not linked from or transcluded into other pages in The iPhone Wiki." I'm not sure where all of those articles should be linked, but figuring that out could be a useful project for somebody. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 05:57, 28 August 2013 (UTC)<br />
<br />
==Easy tasks for new editors==<br />
* Finish converting the remaining error codes listed here [[MobileDevice_Library#Known_Error_Codes]] into the proper mach_return_t codes they should be displayed as. (convert the negative number listed into hex, strip any leading "FF" so it should be in the format "0xe80000" followed by two numbers) --[[User:Dirkg|Dirkg]] ([[User talk:Dirkg|talk]]) 22:40, 28 August 2013 (UTC)<br />
<br />
==Login prompt revision suggestion==<br />
I wrote a suggestion here: [[MediaWiki talk:Loginprompt]] (since I don't have permission to edit [[MediaWiki:Loginprompt]] directly) - I'd be interested in whether it sounds like a good idea to other people. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 01:00, 8 October 2013 (UTC)<br />
<br />
==Homepage suggestions==<br />
Under "Application Development", what about linking to [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki]? It's also a community-edited technical resource, and it links to this wiki. It could be helpful to add a little more detail to "Get [[up to speed]] in the community.", like this: "Get [[up to speed]] in the community - learn about how jailbreaks work." Under "Definitions", it could be helpful to list all the firmware tags in one line or sub-list, similar to how Jailbreak is organized next to Tethered jailbreak and Untethered jailbreak, both to save space and help readers understand the list. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 23:01, 20 October 2013 (UTC)<br />
:A link to the iPhoneDevWiki sounds good. I wonder if we should have an "External Links" or "Other Resources" section to include links to other sites (such as the [http://blog.iphone-dev.org/ iPhone Dev Team blog]) though. As for the "Up to Speed" page, I feel like the entire page could be reworked a bit— and perhaps even receive a new, clearer name ([[Introduction]]? [[Preface]]? Or something else?)— the current name makes it sound like it's for people that last paid attention to jailbreaking when the App Store didn't exist. And yeah, moving the IMG3 tags to a sub-list sounds like a really good idea. (Admittedly, I actually don't care for its inclusion in the first place, but that's just a personal preference.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:10, 21 October 2013 (UTC)<br />
::There's already [[Useful Links]] with some links to other core community resources (which could be updated and rearranged) - I was just thinking that it'd be especially useful to link to iPhoneDevWiki prominently since it's likely for TheiPhoneWiki visitors to also be interested in relatively-organized technical information about development. Changing the name of "Up to Speed" sounds fine to me too - that page didn't get much attention since 2008 until I sort of commandeered it to serve as an "intro to jailbreaking" page. :) It could be renamed "getting started", as in "how to get started on learning about research into iOS devices, especially security research (such as jailbreaks)". [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:31, 21 October 2013 (UTC)<br />
Also I'd love to see a dedicated section for "Good tasks for new editors", where we could maintain a list of relatively easy/straightforward suggested edits that wouldn't require vast technical knowledge, like updating that links page. Where would that go? Add it as a sub-section of [[The iPhone Wiki:Current events]] and link that section from the homepage or something? Or make a new page? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:40, 21 October 2013 (UTC)<br />
<br />
==What is 0x5265c384 in the boot process?==<br />
Does anybody know where <code>0x5265c384</code> points to in the boot process? I haven't been able to find anything on it. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 20:14, 23 October 2013 (UTC)<br />
<br />
==License for contributions==<br />
This wiki has never had an official license for contributions. Now, IANAL, but IIRC, this means that you can't use ''anything'' posted here unless it qualifies as fair-use. What I propose is that we set a license and add a notice that states that any contributions after a set date are to be licensed under that license (that's kindof a mouthful). I think we should use the [http://creativecommons.org/licenses/by-sa/3.0/ CC-by-SA 3.0] as [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|Wikipedia uses it]], but that's just me. Any ideas? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 19:53, 9 November 2013 (UTC)<br />
:Well, the edit info already says all this:<br />
Please note that all contributions to The iPhone Wiki may be edited, altered, or<br />
removed by other contributors. If you do not want your writing to be edited mercilessly,<br />
then do not submit it here.<br />
You are also promising us that you wrote this yourself, or copied it from a public<br />
domain or similar free resource (see The [[:The iPhone Wiki:Copyrights|iPhone Wiki:Copyrights]] for details). '''Do not'''<br />
'''submit copyrighted work without permission!'''<br />
For me, that's enough. I don't need a 50 page license. But if you want to formalize this more, go ahead. --[[User:Http|http]] ([[User talk:Http|talk]]) 20:35, 9 November 2013 (UTC)<br />
:Sounds good. It's good practice to have an official license, just in case any disputes happen someday, and to ensure that it's OK to copy text over to Wikipedia (for example). [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:32, 9 November 2013 (UTC)<br />
Sorry to revive a dead topic, but this came to my attention again after seeing the message on [[F.C.E. 365 Firmware Manager]], and I noticed we hadn't really taken action regarding this. I take it everybody is in unanimous agreement in noting that the wiki's content will be covered under the CC BY-SA 3.0 Unported license, but [http://creativecommons.org/licenses/by-sa/4.0/ a newer version] has since been released— should we use this instead? (Creative Commons published a [https://creativecommons.org/version4 human-readable list of changes].) I'm fine with either one. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:12, 24 December 2015 (UTC)<br />
<br />
:We'd definitely have to do the "any contributions after a set date have the new license" method, since it's not really legitimate to re-license other people's work without their clear permission. I'd be in favor of putting that in sooner rather than later. Individual people could also put a note on their user pages saying that they license all of their past contributions under the new license. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 25 December 2015 (UTC)<br />
::Yeah, that makes sense. As for when we should instate the CC BY-SA 4.0 (or 3.0?) license for future contributions, maybe we can make the change when we ring in 2016...? (I'd say this weekend, but people might be gone for the holidays.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 19:28, 25 December 2015 (UTC)<br />
----<br />
Okay, so I drafted something to put in [[The iPhone Wiki:About]].<br />
<blockquote>All contributions to The iPhone Wiki posted on or after 12:00 AM on DATE (UTC) are provided under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International License]. This does not apply to contributions made prior to DATE (UTC), which are provided under a license selected by their contributors (with the understanding that contributions may be revised at any time). If a section is modified, the original author's license supersedes the aforementioned CC BY-SA 4.0 licensing.</blockquote><br />
But as I wrote that, a hypothetical scenario came to mind. Let's say UserOne creates a new page, UserTwo adds a section to this page, and UserThree edits a sentence in that section. Whose license would apply to the content— the page creator's? If they do not agree to distribute their contributions under the same license, would it be three cascading licenses? How should we address a hypothetical situation like this? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 05:56, 1 January 2016 (UTC)<br />
<br />
:I'd suggest simplifying ''"This does not apply to contributions made prior to DATE (UTC), which are provided under a license selected by their contributors (with the understanding that contributions may be revised at any time). If a section is modified, the original author's license supersedes the aforementioned CC BY-SA 4.0 licensing."'' to just ''"This license does not apply to contributions made prior to DATE (UTC)."'' and adding ''"If you would like to explicitly license some or all of your contributions before this date as CC-BY-SA 4.0 (instead of those contributions staying the default of copyrighted by you with all rights reserved), please add a note to your userpage to indicate this."''<br />
<br />
:The copyright status of works created by people mixing together their own copyrighted-by-default efforts, or mixing CC-BY-SA work with copyrighted work, is...complicated and unclear, so it's probably better to not try to explain it. There's the relevant concept of a [http://copyright.universityofcalifornia.edu/ownership/joint-works.html "joint work", where "authors own the work jointly and equally"] ([http://fairuse.stanford.edu/overview/faqs/copyright-ownership/#who_owns_the_copyright_in_a_joint_work another definition]). <br />
<br />
:It'd be helpful for a brief version of this information to go in the note at the bottom of editing pages (where it says "Please note that all contributions to The iPhone Wiki may be edited, altered, or removed by other contributors." and so on). Ideally the homepage would also get a note about this for a month or so, maybe a link to the about page. :) Thanks for working on this! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 06:58, 1 January 2016 (UTC)<br />
<br />
==Banner Replacement?==<br />
I kinda feel like the banner on the front page is getting a little stale, so I'm interested in seeing it replaced. I tossed a proposal [https://twitter.com/Draxelf/status/408295008794845184 on Twitter] a couple of days ago (which is admittedly plain, but Myriad Set…), but I haven't heard any opinions on replacing the banner. Are there any thoughts on this matter? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 December 2013 (UTC)<br />
:Or, [http://imgur.com/wJFqPl1 this]. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:22, 6 December 2013 (UTC)<br />
:Looks nice in Myriad! More professional. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 04:01, 7 December 2013 (UTC)<br />
<br />
==Date Format==<br />
I see that [[User:IAdam1n|iAdam1n]] started to unify the date formats in this wiki. While I like this to be consistent, actually we should've talked about what format to use before changing it. I like the d_mon_yyyy format though. I also saw that he removed the <code>&amp;nbsp;</code> between the date parts on the [[iFaith]] page that I added once purposefully. The reason was that when making the browser window small (or on the iPhone) that the date wraps to two lines, which is almost always undesired. The question is if we should do that everywhere too? Additionally, as we now seem to have a "standard" here, we should document it, so that new users know what format to use. -- [[User:Http|http]] ([[User talk:Http|talk]]) 17:42, 30 December 2013 (UTC)<br />
:I just made it consistent. If you want the <code>&amp;nbsp;</code> back, feel free to add it. I removed it as it did nothing (previewing on OS X). We should use the format I used throughout the wiki and not Dec 23, 2013 etc. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:32, 30 December 2013 (UTC)<br />
::<code>&amp;nbsp;</code> stands for "'''n'''on-'''b'''reaking '''sp'''ace". It is essentially a space, but with a property that prevents word wrap from occurring between the two words it's between. Look at [[Firmware Keys]] on a small enough screen (1024 across should do it). Your browser should preserve the space between the date "words". Now, go into the edit page and remove the <code>&amp;nbsp;</code> from everything in one table. Your browser will now word wrap the date "words". --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:What I actually want to do is use <code>{{[[Template:Start date|start date]]}}</code> instead of plain dates in areas where dates are used as a statistic; for example, [[Firmware]], [[Firmware Keys]], [[SHSH]], [[Timeline]], etc. Places where dates are used to record when something happened, for example on [[evasi0n7]], "On 28 December 2013...", should use the date flat out in the source. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
<br />
== Template documentation ==<br />
Whenever using templates that are copied here from Wikipedia, I almost always forget the parameters of the template. I then have to open Wikipedia and search for the template. What I want to do it copy the template documentation from Wikipedia here. To work around the licensing issue, we can create our own template that you would include at the bottom of the copied documentation that says the documentation comes from Wikipedia (because Wikipedia uses [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|CC-BY-SA 3.0]] which says our copied text must be under CC-BY-SA 3.0 ''and'' attribute Wikipedia and her editors. I can write the text for license template. Any ideas? Any opposition? If not, I'll begin in a few days. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:I don't see why not. That's what I've seen done on other wikis. — '''[[User:Spydar007|<span style="color:#ff5a00;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:orange;">(Talk)</span>]]''' 16:56, 18 January 2014 (UTC)<br />
<br />
== Category Security Researchers==<br />
Hi all! i've created the category Security Researchers in order to cut down on the pages categorized as hackers as it apparently needs to be more exclusive. i've been adding the less known or inactive hackers from the hacker page but have not removed them from the hackers page. I feel that it should be a vote on who gets removed from the hackers page so my first suggestion is [[User:Fallensn0w]] as he has been inactive for a very long time and didn't do a lot in the first place. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 15:57, 22 February 2014 (UTC)<br />
<br />
== Email notifications? ==<br />
Is it possible to get emailed when a watchlist page changes? I'd love that feature. [[wikipedia:mw:Manual:Configuration settings#Email notification (Enotif) settings|This looks relevant]]. --[[User:Beej|beej]] ([[User talk:Beej|talk]]) 08:02, 27 June 2014 (UTC)<br />
<br />
== Ambiguous names ==<br />
I feel like the names for [[Symlinks]] and [[Symbolic Link Vulnerability]] is a bit too ambiguous. Now, I don't anticipate there being much confusion, particularly since nobody really cares about 1.x anymore, but I would like to make the distinction clearer. I think both articles should be renamed, but I have no idea on what to rename them to (or even if you guys approve). I thought of using the CVE ID, but Apple doesn't provide one for [[Symlinks]] (or even any indication that they fixed it). ([[Symbolic Link Vulnerability]] was assigned CVE-2013-5133.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:51, 2 July 2014 (UTC)<br />
:They are referred to as the Symbolic Link by people like MuscleNerd and iH8sn0w so, in my opinion, they should be kept as their current names. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 18:06, 2 July 2014 (UTC)<br />
::I don't mind if one of them keeps their current name, but there should be something to make the distinction clearer. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 01:13, 3 July 2014 (UTC)<br />
<br />
== IRC Channel on Freenode ==<br />
Howdy iphonewiki folks, I have #theiphonewiki registered on freenode, and am ready to have people come in (it's been ages since this idea has been brought up). Shall we open it? I'd like to get some ops in there to help out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 05:48, 6 July 2014 (UTC)<br />
<br /><br />
I think we should make an IRC channel for this wiki. It can be either #theiphonewiki or #iphonewiki on freenode. The channel would be used for discussions, such as the TLC of the Jailbreak page for example. It would make getting things sorted a lot easier, since we could just ping each other different ideas. I know this idea was made before, but the channel never really got anywhere. What do you guys think of this idea? We would need to decide who has founder, op and voice etc. on the channel here. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 06:58, 6 July 2014 (UTC)<br />
: This is idiotic. You just want to do it yourself cause you want power. We won't help you feed your ego. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
:: You have never edited on this wiki in your life before so STFU. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:48, 7 July 2014 (UTC)<br />
: Being that I own #theiphonewiki, the original channel in which the wiki's channel was going to be on, I have control over who's moderating the channel. One op will be me, I have 3+ years of IRC moderation experience (To be honest, Is this even CV worthy? :P) we can choose the other operators when the channel becomes somewhat popular. ps. Why make two topics for this? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:03, 6 July 2014 (UTC)<br />
:: That most definitely is CV worthy. I've seen Spydar007 moderate a channel, it crashed in a week or so. Not to mention the channel wasn't even his, and he kinda took it over anyway. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
::No, no, no. The community decides. Juts because Farahtwiggy asked you to register it before, doesn't mean you get to be an op there now. This was my idea (Dialexio can vouch). You have no control over who are ops there. {{unsigned|Spydar007|04:11, July 6, 2014 (UTC)}}<br />
::: One "no" is enough. Farah, really, doesn't have much (if anything) to do with this, the channel was registered a year ago. Your childish response above does not show me that you can handle owning the channel, nor do the rumors of you abusing channel control in your personal channel. It's really not your idea, it may have just now come to your mind, but adaminsull and I have gone through this whole deal before (one year ago). Join me on #theiphonewiki if you'd like to chat this out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:22, 6 July 2014 (UTC)<br />
::::I don't know what's happening off of the wiki so I might only have part of the picture. I definitely don't see Haifisch as trying to steal credit for this idea, which actually was brought up about ages ago. I'm not much of an IRC guy, so my opinion might not have that much weight for a lot of this discussion, but I feel that the channel would be better in Haifisch's hands given his experience. Ownership/management/whatever for the IRC channel should certainly be open for discussion though. I really don't care too much about whoever gets to run it, as long as the person is someone that the community knows, respects, and trusts. (Same goes for the channel ops.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 July 2014 (UTC)<br />
:It does not sound like a good idea to have an IRC channel for this wiki. It is useful for discussion of this wiki's articles to continue to be be done publicly on the wiki (on the appropriate talk pages), so that everyone interested in the wiki can easily contribute to the discussion, and so that there is a well-organized public record of discussions that we can all easily refer to. IRC channels are also very fertile breeding grounds for social conflicts and unhappiness (as we've seen already), which is helpful to skip. In any case, this should be discussed at [[The iPhone Wiki:Community portal]] instead of here - this page is for discussing modifications to the Main Page, and that one is for general discussions about TheiPhoneWiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:46, 7 July 2014 (UTC)<br />
<br />
== Moving to Canada ==<br />
I'm moving this server in the next few days to a quality server in Canada. It'll be running inside a VM, so I'll also look into giving admins more access. Hopefully the periodic outages will stop. Maybe I'll add some SSL certs. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]])<br />
:Nice, thanks! HTTPS would be great. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:08, 14 August 2014 (UTC)<br />
::So we're not in canada yet?--[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 20:32, 30 August 2014 (UTC)<br />
You should all be in Canada now, with 8&nbsp;GiB of Canadian RAM. We also have [https://theiphonewiki.com/wiki/Main_Page HTTPS], but it avoids the [[wikipedia:Squid (software)|Squid proxy]]. It's fine for people making edits but I don't plan on changing the default anytime soon. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]]) 04:43, 2 September 2014 (UTC)<br />
:Yay! Thanks as always George! Any plans on adding back SSH? There's a few things I'd love to have done. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 21:40, 2 September 2014 (UTC)<br />
::Thanks [[User:Geohot|geohot]]! Hopefully now there will be less downtime ;p --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 07:41, 3 September 2014 (UTC)<br />
:Sweeeeeeeet. :D --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 15:16, 3 September 2014 (UTC)<br />
<br />
==iPhone serial cable==<br />
Could somebody document how to use uart cable (i.e. setup, bitrate, ...) ? Some intructions are available at [http://www.instructables.com/id/Apple-iOS-SerialUSB-Cable-for-Kernel-Debugging/ instructables]. Can two iPhones' serial inputs be connected to each other (i.e. TX of 1st iPhone to RX of 2nd and RX of first to TX of second) and minicom used on one of them to connect to /dev/uart.iap such that no USB to 3.3V TTL (FT232RL in the link) would be needed provided that you already have multiple iDevices with dock connector {{unsigned|Danzatt|10:57, 15 September, 2014}}<br />
<br />
Bringing this topic back up, I've developed an open source package for iPhone (30pin) serial that doesn't used the PodBreakout that has been discontinued for a while now. Would it be alright to document how to setup/use the boards here? I'm just unsure if this is the appropriate place for it. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 03:45, 2 May 2015 (UTC)<br />
<br />
:[[User:Haifisch]], that sounds fine to me - it's iPhone-related, which is the the theme of this wiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:53, 14 May 2015 (UTC)<br />
<br />
== Original iPad mini name ==<br />
Seeing as we use (at least mostly) "iPhone" instead of "iPhone 2G" and "iPod touch" instead of "iPod touch 1G", I feel we should change how we reference the original iPad mini. The reason for adding the "1G" was because of the name conflict between pages. But we could probably fix that by moving [[iPad mini 1G]] to, say, [[iPad mini (first generation)]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 03:04, 17 October 2014 (UTC)<br />
:Sounds good to me. "iPad mini (1st generation)" is fine, but for the sake of length I would go with either "iPad mini" or "iPad mini 1." --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:27, 17 October 2014 (UTC)<br />
::Agreed. "iPad mini" would follow the other 1st generation devices page. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 04:56, 17 October 2014 (UTC)<br />
:::I also think this is a good idea because of how Apple is listing it like that too. I would say use "iPad mini". Another thought I did have is that it might confuse people with [[iPad mini]] and making them think that it is the page to list all the mini's. To correct this, I would suggest [[iPad mini (1st Generation)]] and roll that out across iPod touch, iPad and iPhone too. Just thought I'd put that out there to see what others think. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:14, 19 October 2014 (UTC)<br />
::::I feel "iPad mini (1st Generation)" is too long. "iPad mini" is fine IMO. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:30, 20 October 2014 (UTC)<br />
:::::Except that "[[iPad mini]]" already exists. It's the overview page for the iPad mini, just as [[iPad]] is for iPads, [[iPhone]] for iPhones, and [[iPod touch]] for iPod touches. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:06, 20 October 2014 (UTC)<br />
::::::If we do this, I suggest doing it for iPad, iPhone and iPod touch too. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 20:43, 20 October 2014 (UTC)<br />
:::::::I disagree. I like the usage of "iPod touch 2G", "iPod touch 3G", etc. Sure, drop the "1G" from the original iPad and iPod touch (and "2G" from the original iPhone), but don't change anything else. Unless we can come up with something other than "[[iPad mini (1st generation)]]", we should use that though. However, I don't like that title as it would look inconsistent with other devices. Wikipedia uses the parentheses to separate pages that would have the same name, but are about different topics. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 22:06, 20 October 2014 (UTC)<br />
::::::::The only problem is that we can't use [[iPad mini]] for it's current purpose and the first generation. I would also suggest anything that is changed would be consistent throughout all of the devices. That is why I liked the [[iPad mini (1st generation)]] idea but then again, would not be good if it is not like that for all devices. I like [[iPad mini (1st generation)]] because it is how Wikipedia lists it and to be honest, it avoids confusion. There is one other idea I can think of but not sure I even like it that much, [[iPad mini (original)]]. This again should be for iPad, iPod touch and iPhone if we do this. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:35, 20 October 2014 (UTC)<br />
<br />
== Mobile Stylesheet == <!-- Don't move this to archive as can be used for anyone to add suggestions for changes on mobile. --><br />
I was thinking recently, if [[User:Geohot|geohot]] agrees to accept it, that I could make a mobile.css file in order to attempt to make a few changes to the site on mobile. This would make it so that it would not be so ugly and if possible, the text might be easier to read. What would everyone think about this? For one thing, I'd like to mobile the "Log out" off the black part of the screen and put it near the "Contributions" button or thereabout. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:37, 7 January 2015 (UTC)<br />
:Instead of a mobile stylesheet to hack up the skin more (like the <code>ios6</code> and <code>ios7</code> skins do), I would create a whole new skin. I could write the PHP and JavaScript, and you can write the CSS. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 17:04, 7 January 2015 (UTC)<br />
::If you mean a skin just for mobile, that would be ok but not sure how you could make it selectable with a mobile device but not on desktop. If you could do this, it could work but personally I think a mobile.css would be easier since it has to be previewed in the iOS simulator (that's the way I do it). I couldn't say I'd edit a page without being an admin (unless it's made that I could). --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 17:35, 7 January 2015 (UTC)<br />
::I was going to mention that MediaWiki includes a sorta-mobile theme called Chick, but it seems that's [https://gerrit.wikimedia.org/r/#/q/Ia6d73c2deb9428d2,n,z long gone]. MW's changed a lot since I used it, but the way it worked was it subclassed MonoBook (so there was no need to duplicate the HTML template) and swapped its CSS for its own ([https://upload.wikimedia.org/wikipedia/mediawiki/f/f6/Dantman-Skin-chick.png screenshot]).<br>Come to think of it, whoa, I even wrote my own skin called [https://github.com/kirb/iWiki iWiki]. Was never updated for MW 1.17, which made breaking changes to the skin API. I probably won't have the time to update it, but maybe someone else could? [[User:Thekirbylover|kirb]] ([[User talk:Thekirbylover|talk]]) 09:01, 8 January 2015 (UTC)<br />
:I think this is a great idea, since this is actually a wiki about mobiles. No idea why it hasn't been done already. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 15:17, 8 January 2015 (UTC)<br />
::| There is a mobile pluggin for Media Wiki that will make it look very nice [[User:Mwoolweaver|MWoolweaver]] ([[User talk:Mwoolweaver|talk]]) 07:22, 1 February 2015 (UTC)<br />
:::I completed this a while ago but forgot to comment about it. If anyone has any improvement requests, feel free to list them and I'll take a look. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Apple Watch ==<br />
I've added the [[Apple Watch]] using that page to most devices. I was thinking this morning that it should be moved to [[Apple Watch 1]] an have [[Apple Watch]] as a page like [[iPhone]] etc but then thought that I'd wait to see if there is a second generation some time and if there is, move it then. What does everyone think? I don't mind either way but wanted others opinions. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Bite-sized editing tasks ==<br />
<br />
It seems fun to make a list of relatively easy useful edits that new editors can do who are interested in helping, maybe at [[The iPhone Wiki:Bite-sized editing tasks]] or a similar page, and link it from the homepage here. I'd include the following as a start:<br />
<br />
* Look at the list at [[Special:LonelyPages]] and figure out whether some of those pages should be linked within other pages on the wiki, and then go link them.<br />
* Check the links at [[Useful Links]] and remove broken/outdated sites and add relevant new sites (but don't spam your own stuff).<br />
* The iOS version table at [[SHSH]] should be listed in reverse-chronological order, with newest versions first instead of oldest versions first.<br />
* If you run into a scam site, add it to the table at [[Scam Jailbreaks and Unlocks]].<br />
* If you're reading an article and some part of it is confusing to you, post a message on the "talk" page (click the "Discussion" tab at the top of the article) explaining your question or what you found confusing, so that other editors can use this as a suggestion for improving the article.<br />
<br />
Ideas? Opinions? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:31, 14 May 2015 (UTC)<br />
<br />
== How to report problems ==<br />
<br />
I saw people concerned on Twitter about the skin! Like iAdam1n said on Twitter, saurik just got a copy of the settings, images, and database from geohot and put them into a new site with an upgraded version of MediaWiki; he's asking geohot for a copy of the skin files. In general if you see problems or have requests for new extensions or other changes, it's totally fine to post them here and I'll see them and ask saurik to check it out. If something is more immediate and doesn't need discussion (like something missing, major errors, mysterious downtime, etc.), you can PM me or saurik on IRC (his IRC server is best, irc.saurik.com). Maybe good to post here too in those cases (if the site isn't down at the time) so other people know he's been alerted. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 18:44, 14 May 2015 (UTC)<br />
<br />
More about how to report more immediate problems (or problems that require some level of privacy, such as a major security issue or "Britta has gone rogue") - if you don't use IRC, emailing me is also fine (britta@saurikit.com). Emailing saurik (saurik@saurik.com) won't be seen as quickly, but if you write a meaningful subject line (like "TheiPhoneWiki is giving error 403 upon login right now" or "Britta is putting glitter sparkle GIFs all over TheiPhoneWiki"), it'll likely be seen. Moving to a new server/admin can have some adjustment bumps but they can be fixed! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 15 May 2015 (UTC)<br />
<br />
== SSL Problems ==<br />
<br />
Maybe SSL is not fully/officially supported (yet), but there are a few issues that should get fixed:<br />
*SSL3 is enabled and must be turned off (POODLE attack)<br />
*weak signature: make sure to get SHA2 when you renew certificate (current one expires 4 Sept 2015)<br />
*RC4 cipher is accepted, please disable<br />
*PFS not always preferred cipher, for example when using IE10 on Win7<br />
Thanks!<br />
--[[User:Http|http]] ([[User talk:Http|talk]]) 20:27, 14 May 2015 (UTC)<br />
<br />
:OK, saurik worked on this and it should be fine now other than that the current certificate from geohot is SHA1. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 08:54, 15 May 2015 (UTC)<br />
<br />
::Excellent, thanks! If you want to improve even further, consider HSTS and maybe HPKP too. But I'm happy already now. --[[User:Http|http]] ([[User talk:Http|talk]]) 12:17, 15 May 2015 (UTC)<br />
<br />
== Apple internal content on the Wiki ==<br />
<br />
I want to know what people think about having internal content on the Wiki. Some of the current content definitely needs some cleaning up and general editing. Should we publish information about internal firmwares? And is it okay to upload pictures of prototypes? Feel free to ask more questions. --[[User:Srb21103|Srb21103]] ([[User talk:Srb21103|talk]]) 05:08, 18 May 2015 (UTC)<br />
<br />
:Looking through [[The iPhone Wiki:Ground rules]], it says "No posting of copyrighted material. Anything that could legally get us in trouble should not be posted, ever." I'm not sure what other precedent here has been. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 10:31, 18 May 2015 (UTC)<br />
<br />
== JailbreakCon mini-talks ==<br />
<br />
Hi wiki people! I'm working on gathering people to do mini-talks (5-10 minutes) for [[JailbreakCon]] in June in San Francisco, and it would be cool to have some more people speaking who contribute to the community in ways other than tweak development. Work other than development is important work too, such as documentation. If anyone who has put some effort into improving TheiPhoneWiki can attend and would like to give a mini talk about working on the wiki, let me know via [http://www.jailbreakcon.com/#contact the contact form on the site]. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:35, 26 May 2015 (UTC)<br />
<br />
== [[File System Crypto]] ==<br />
<br />
I just added Zdziarski's blog to the wiki (with his permission). I would recommend to take this apart and make multiple sub-articles, like an article for [[BAGI]], another one for [[Dkey]], etc. and on the page [[File System Crypto]] itself, just write the overview, similar to what we have on page 16 of the Sogeti document (wasn't there a newer graphic somewhere?) with some short description. --[[User:Http|http]] ([[User talk:Http|talk]]) 22:11, 9 June 2015 (UTC)<br />
<br />
== Video links about internal [[Factory Firmware]] ==<br />
It is okay and safe from troubles to put YouTube video links about internal [[Factory Firmware]] in the dedicated page, to see how those changed through iOS versions ? Those videos are https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5). --[[User:ShadowLee19|ShadowLee19]] ([[User talk:ShadowLee19|talk]]) 09:22, July 12, 2015}}<br />
<br />
: I don't see a problem, as I've talked to [[User:EverythingApplesPro|EverythingApplesPro]] and confirmed that the prototypes were obtained legally. However, you should probably email him and ask him, since those are his videos. Also, someone else might have a different opinion, so please don't rely on my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 4:42 pm, 12 July 2015, Sunday (9 days ago) (UTC−4) <br />
<br />
:: I will ask [[User:EverythingApplesPro|EverythingApplesPro]] before add his videos links. I'm still confused about "legally obtained". The two first videos, https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5) are made and uploaded by me, but devices used aren't prototypes, internal or factory devices. They are production ones which I've restored an internal [[Factory Firmware]] using Limera1n BootROM exploit. Devices are of course legally obtained, but it's hard to say for internal factory firmware bundles, because I got them from someone, who got them from someone, who got them from someone and so. I don't know how they have been leaked, in a legal way or not. I doubt about how all those prototypes, factory devices or internal software could be "legally obtained", unless on is packed by accident in a legally bought box in an Apple store or any other retail store. That's the main reason why I'm asking this question before put YouTube video links about internal devices and software. It is even okay and safe from troubles to upload videos on YouTube about those internal devices and software ? I would like to be 100% sure, I don't want me and or TheiPhoneWiki to get in trouble for that. --ShadowLee19<br />
<br />
::: There really isn't a legal way to obtain prototypes without being an Apple Employee with very very specific permissions to have it. I would bet money that his devices he has are just like production devices but they have not been restored to a production firmware, instead they have been restored with the factory unit testing firmware (e.g., NonUI, and whatnot) and were never flashed to stock before leaving the factory. I would be '''very''' surprised if any real prototypes got out after the Gizmodo leak, they have since improved on locking down those devices internally. Just because the serial number isn't a production serial doesn't mean it's a prototype, serials are very easy to change by modifying the SysCfg. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 7:18 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:: I'm sorry, this is another case where I skim over links and think they are all the same. I've verified an iPhone 6 that was from Verizon. I must have thought they were all on te same iPhone 6. I agree with both Haifisch and Britta. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 7:33 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:It seems fine to me to link to them, since they're publicly available on the web; no permission required for that sort of thing. Most pages have an "External links" section at the bottom, which is nice for adding links to off-wiki resources. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 5:15 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
== Using "Beta" instead of "b" for Beta Firmwares ==<br />
I've been thinking for some time that we should really be using "Beta" instead of just "b" in beta firmwares. An example would be change "9.1b3" to "9.1 Beta 3". This is how Wikipedia does it and I much rather this because it is clearer IMO. What does everyone else think? Although this would be a lot of work converting all the entries, I'm willing to do it if nobody objects. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 19:46, 3 October 2015 (UTC)<br />
:I said this on Twitter, but I don't really care if this change is made. Personally, I prefer the "b," but using "Beta" would look fine. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
::If nobody disagrees, I'll start on Wednesday, 7th October. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:28, 4 October 2015 (UTC)<br />
:I have no problem with this except for [[Beta Firmware]] and [[Firmware Keys]]. Changing those from "b" to "beta" would take up too much space. Also, I'd prefer "beta" be lowercased, but that's just me. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:06, 4 October 2015 (UTC)<br />
::I don't actually think it would take up too much space since it's only an extra 5 characters per iOS. "Beta" or "beta" doesn't matter really, I don't mind with or without a capital. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:15, 4 October 2015 (UTC)<br />
:::Yeah, nevermind. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:22, 4 October 2015 (UTC)<br />
::::As far as I can tell (this is actually hard to find where used without checking all pages but checked the most obvious), this is now complete. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:20, 22 October 2015 (UTC)<br />
<br />
== -AP idenifiers ==<br />
As we all know (hopefully), the wiki has used lowercase letters for the "-AP" device identifiers (e.g. n90ap, p101ap). I would like to rename all instances to use the proper case— that is, the first letter and "AP" are capitalized (e.g. N90bAP, P101AP, N72AP). Does everyone else approve of this? I recall discussing this a while back and the decision was to use/keep lowercase letters, but seeing something like "k93aap" looks weird when Apple uses "K93aAP" in most areas, save for firmware file names. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
:I've always wanted to use the correct naming like this proposal so I'd be more than happy for the change. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:23, 4 October 2015 (UTC)<br />
::This has now been completed. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:07, 16 October 2015 (UTC)<br />
<br />
== iOS 9.1 beta 4 build number? ==<br />
Apparently the build number for iOS 9.1 beta 4 on the wiki is 13B5136, but the number shown on my iPod touch 6G is 13B136. Can anyone else confirm this on their device before making any changes to the wiki?<br />
--[[User:Tp1194045441|Tp1194045441]]([[User talk:Tp1194045441|talk]]) 21:26, 6 October 2015 (UTC)<br />
:The 5 is just a false number to get people from beta 3 to beta 4 via OTA. You have the developer IPSW real version. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:57, 6 October 2015 (UTC)<br />
<br />
== The iPhone Wiki SEO ==<br />
I checked the page's SEO score and is pretty low. As I'm a webmaster and I work in Web design, I can help with SEO for this community, for FREE. I would like to hear the opinion of one of the admins. --[[User:GeoSn0w|GeoSn0w]]([[User talk:GeoSn0w|talk]]) 21:26, 10 October 2015 (UTC)<br />
:Out of curiosity, what do you feel could be changed? (I know nothing about SEO) --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:54, 17 October 2015 (UTC)<br />
<br />
== San Francisco banner ==<br />
I like the current, Myriad Set Pro-based banner. However, I started thinking that it'd probably be better to typeset "The iPhone Wiki" in San Francisco instead, since that's what Apple's using in iOS. I came up with two variations for font weight, and then with and without a period at the end. (It's not needed/warranted, but I thought it added a nice extra touch.) If this sounds good, which variation do you think looks best? [https://pbs.twimg.com/media/CRaQh9PVAAAvfRP.png:large [A<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9JEUcAECyzU.png:large [B<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9VTU8AA8Q6X.png:large [C<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9ehXIAE7AM2.png:large [D<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>] --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 16:04, 16 October 2015 (UTC)<br />
:I really like A. However, C is a runner up. It kinda depends on which part we are focusing on most. Are we focusing on iDevices, or a Wiki more? For that, I have no answer. Of course, that's just my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 02:38, 17 October 2015 (UTC)<br />
:Nice! However, for number B, the period's font weight is a bit too heavy. Was it bolded? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:53, 17 October 2015 (UTC)<br />
::I like this idea and would choose either A or B. I don't personally mind which of those are used. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 08:55, 17 October 2015 (UTC)<br />
::B's period actually uses the regular font weight (same as "iPhone"). I was thinking that it looked a little too heavy too… So I came up with [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>]. (Also, I know the mockups have varying font sizes. Don't read too much into that; I'll match the font size with the current banner when we decide on a variation.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 23:29, 17 October 2015 (UTC)<br />
<br />
== Changing [[Apple TV]], [[iPad]], [[iPad mini]], [[iPhone]] and [[iPod touch]] ==<br />
I'd like to propose that we changes these pages to [[List of Apple TVs]], [[List of iPads]], [[List of iPad minis]], [[List of iPhones]] and [[List of iPod touches]] as this would be better and more correct. This would also free up [[iPad mini]] for [[iPad mini 1G]] so we could be consistent and drop the "1G" as none of the other devices that use "1G" on this wiki. I'd be prepared to do it all so nobody woud have to do anything (unless you want to of course). I'll go ahead and start this on Thursday, 12th November if nobody has any objections. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:30, 9 November 2015 (UTC)<br />
:This is has been completed apart from talk topics and user pages in which the author should fix those. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:59, 14 November 2015 (UTC)</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal&diff=50040The iPhone Wiki:Community portal2015-12-25T03:03:26Z<p>Britta: /* License for contributions */ in favor of "any contributions after a set date have the new license"</p>
<hr />
<div>{{Talk Archive}}<br />
{{see also|Unsolved problems}}<br />
<br />
==iPhone-Elite==<br />
I think we should include all this old stuff before it gets lost: [http://code.google.com/p/iphone-elite/ code.google.com/p/iphone-elite/]. I mean the wiki articles there. Most infos should be already here, but I'm sure a lot of things are missing too.<br />
--[[User:Http|http]] 15:02, 26 June 2012 (MDT)<br />
<br />
==Boot-args cleanup==<br />
We need to clean up the boot-args pages. First the technical part: What I understand is that iBoot loads the kernel. And when loading it, it can pass some parameters to select certain behavior. So this only works with an iBoot or bootrom exploit. I understand that in earlier firmware versions there was simply an iBoot variable, but that doesn't exist or work anymore, now passing theses args requires a different or patched iBoot. There are various parameters in different kernel versions. The description for these arguments is scattered over various places:<br />
*[[Kernel#Boot-Args]] A section with the latest boot arguments list. This should be a short introduction and having a link "main article".<br />
*[[Boot-args (iBoot variable)]] separate page for boot arguments, but mainly for the iBoot variable that doesn't exist any longer<br />
*[{{FULLURL:Boot arguments|redirect=no}} Boot arguments] (redirect)<br />
*[[:Talk:Restore_Mode]] describing the iBoot variable problem<br />
*Various pages referencing boot-args, like [[Research: Re-allowing unsigned ramdisks and boot-args with the 2.* iBoot]] (here we should have a link on the second title)<br />
*My earlier comment [[:Talk:Kernel#boot-args]]<br />
*This comment here.<br />
So what do we want to do about this mess? I suggest to move the current [[Kernel]] content to the redirect page [[Boot arguments]] (or to another new page, maybe [[boot-args]]). The current content of [[Boot-args (iBoot variable)]] and all other content should get merged into there. Then change all references to this new page and on the [[Kernel]] page write just something short with "main article there". What do you think? --[[User:Http|http]] ([[User talk:Http|talk]]) 21:31, 13 February 2013 (UTC)<br />
:I like [[Boot Arguments]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 02:01, 14 February 2013 (UTC)<br />
::One addition: Maybe we should use [[boot-args]] as the main page, because all links are written like that. --[[User:Http|http]] ([[User talk:Http|talk]]) 07:37, 14 February 2013 (UTC)<br />
<br />
==Orphaned articles==<br />
This is an interesting search: [[Special:LonelyPages]] - "The following pages are not linked from or transcluded into other pages in The iPhone Wiki." I'm not sure where all of those articles should be linked, but figuring that out could be a useful project for somebody. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 05:57, 28 August 2013 (UTC)<br />
<br />
==Easy tasks for new editors==<br />
* Finish converting the remaining error codes listed here [[MobileDevice_Library#Known_Error_Codes]] into the proper mach_return_t codes they should be displayed as. (convert the negative number listed into hex, strip any leading "FF" so it should be in the format "0xe80000" followed by two numbers) --[[User:Dirkg|Dirkg]] ([[User talk:Dirkg|talk]]) 22:40, 28 August 2013 (UTC)<br />
<br />
==Login prompt revision suggestion==<br />
I wrote a suggestion here: [[MediaWiki talk:Loginprompt]] (since I don't have permission to edit [[MediaWiki:Loginprompt]] directly) - I'd be interested in whether it sounds like a good idea to other people. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 01:00, 8 October 2013 (UTC)<br />
<br />
==Homepage suggestions==<br />
Under "Application Development", what about linking to [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki]? It's also a community-edited technical resource, and it links to this wiki. It could be helpful to add a little more detail to "Get [[up to speed]] in the community.", like this: "Get [[up to speed]] in the community - learn about how jailbreaks work." Under "Definitions", it could be helpful to list all the firmware tags in one line or sub-list, similar to how Jailbreak is organized next to Tethered jailbreak and Untethered jailbreak, both to save space and help readers understand the list. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 23:01, 20 October 2013 (UTC)<br />
:A link to the iPhoneDevWiki sounds good. I wonder if we should have an "External Links" or "Other Resources" section to include links to other sites (such as the [http://blog.iphone-dev.org/ iPhone Dev Team blog]) though. As for the "Up to Speed" page, I feel like the entire page could be reworked a bit— and perhaps even receive a new, clearer name ([[Introduction]]? [[Preface]]? Or something else?)— the current name makes it sound like it's for people that last paid attention to jailbreaking when the App Store didn't exist. And yeah, moving the IMG3 tags to a sub-list sounds like a really good idea. (Admittedly, I actually don't care for its inclusion in the first place, but that's just a personal preference.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:10, 21 October 2013 (UTC)<br />
::There's already [[Useful Links]] with some links to other core community resources (which could be updated and rearranged) - I was just thinking that it'd be especially useful to link to iPhoneDevWiki prominently since it's likely for TheiPhoneWiki visitors to also be interested in relatively-organized technical information about development. Changing the name of "Up to Speed" sounds fine to me too - that page didn't get much attention since 2008 until I sort of commandeered it to serve as an "intro to jailbreaking" page. :) It could be renamed "getting started", as in "how to get started on learning about research into iOS devices, especially security research (such as jailbreaks)". [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:31, 21 October 2013 (UTC)<br />
Also I'd love to see a dedicated section for "Good tasks for new editors", where we could maintain a list of relatively easy/straightforward suggested edits that wouldn't require vast technical knowledge, like updating that links page. Where would that go? Add it as a sub-section of [[The iPhone Wiki:Current events]] and link that section from the homepage or something? Or make a new page? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:40, 21 October 2013 (UTC)<br />
<br />
==What is 0x5265c384 in the boot process?==<br />
Does anybody know where <code>0x5265c384</code> points to in the boot process? I haven't been able to find anything on it. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 20:14, 23 October 2013 (UTC)<br />
<br />
==License for contributions==<br />
This wiki has never had an official license for contributions. Now, IANAL, but IIRC, this means that you can't use ''anything'' posted here unless it qualifies as fair-use. What I propose is that we set a license and add a notice that states that any contributions after a set date are to be licensed under that license (that's kindof a mouthful). I think we should use the [http://creativecommons.org/licenses/by-sa/3.0/ CC-by-SA 3.0] as [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|Wikipedia uses it]], but that's just me. Any ideas? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 19:53, 9 November 2013 (UTC)<br />
:Well, the edit info already says all this:<br />
Please note that all contributions to The iPhone Wiki may be edited, altered, or<br />
removed by other contributors. If you do not want your writing to be edited mercilessly,<br />
then do not submit it here.<br />
You are also promising us that you wrote this yourself, or copied it from a public<br />
domain or similar free resource (see The [[:The iPhone Wiki:Copyrights|iPhone Wiki:Copyrights]] for details). '''Do not'''<br />
'''submit copyrighted work without permission!'''<br />
For me, that's enough. I don't need a 50 page license. But if you want to formalize this more, go ahead. --[[User:Http|http]] ([[User talk:Http|talk]]) 20:35, 9 November 2013 (UTC)<br />
:Sounds good. It's good practice to have an official license, just in case any disputes happen someday, and to ensure that it's OK to copy text over to Wikipedia (for example). [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:32, 9 November 2013 (UTC)<br />
Sorry to revive a dead topic, but this came to my attention again after seeing the message on [[F.C.E. 365 Firmware Manager]], and I noticed we hadn't really taken action regarding this. I take it everybody is in unanimous agreement in noting that the wiki's content will be covered under the CC BY-SA 3.0 Unported license, but [http://creativecommons.org/licenses/by-sa/4.0/ a newer version] has since been released— should we use this instead? (Creative Commons published a [https://creativecommons.org/version4 human-readable list of changes].) I'm fine with either one. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 00:12, 24 December 2015 (UTC)<br />
<br />
:We'd definitely have to do the "any contributions after a set date have the new license" method, since it's not really legitimate to re-license other people's work without their clear permission. I'd be in favor of putting that in sooner rather than later. Individual people could also put a note on their user pages saying that they license all of their past contributions under the new license. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 25 December 2015 (UTC)<br />
<br />
==Banner Replacement?==<br />
I kinda feel like the banner on the front page is getting a little stale, so I'm interested in seeing it replaced. I tossed a proposal [https://twitter.com/Draxelf/status/408295008794845184 on Twitter] a couple of days ago (which is admittedly plain, but Myriad Set…), but I haven't heard any opinions on replacing the banner. Are there any thoughts on this matter? --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 December 2013 (UTC)<br />
:Or, [http://imgur.com/wJFqPl1 this]. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:22, 6 December 2013 (UTC)<br />
:Looks nice in Myriad! More professional. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 04:01, 7 December 2013 (UTC)<br />
<br />
==Date Format==<br />
I see that [[User:IAdam1n|iAdam1n]] started to unify the date formats in this wiki. While I like this to be consistent, actually we should've talked about what format to use before changing it. I like the d_mon_yyyy format though. I also saw that he removed the <code>&amp;nbsp;</code> between the date parts on the [[iFaith]] page that I added once purposefully. The reason was that when making the browser window small (or on the iPhone) that the date wraps to two lines, which is almost always undesired. The question is if we should do that everywhere too? Additionally, as we now seem to have a "standard" here, we should document it, so that new users know what format to use. -- [[User:Http|http]] ([[User talk:Http|talk]]) 17:42, 30 December 2013 (UTC)<br />
:I just made it consistent. If you want the <code>&amp;nbsp;</code> back, feel free to add it. I removed it as it did nothing (previewing on OS X). We should use the format I used throughout the wiki and not Dec 23, 2013 etc. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:32, 30 December 2013 (UTC)<br />
::<code>&amp;nbsp;</code> stands for "'''n'''on-'''b'''reaking '''sp'''ace". It is essentially a space, but with a property that prevents word wrap from occurring between the two words it's between. Look at [[Firmware Keys]] on a small enough screen (1024 across should do it). Your browser should preserve the space between the date "words". Now, go into the edit page and remove the <code>&amp;nbsp;</code> from everything in one table. Your browser will now word wrap the date "words". --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:What I actually want to do is use <code>{{[[Template:Start date|start date]]}}</code> instead of plain dates in areas where dates are used as a statistic; for example, [[Firmware]], [[Firmware Keys]], [[SHSH]], [[Timeline]], etc. Places where dates are used to record when something happened, for example on [[evasi0n7]], "On 28 December 2013...", should use the date flat out in the source. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
<br />
== Template documentation ==<br />
Whenever using templates that are copied here from Wikipedia, I almost always forget the parameters of the template. I then have to open Wikipedia and search for the template. What I want to do it copy the template documentation from Wikipedia here. To work around the licensing issue, we can create our own template that you would include at the bottom of the copied documentation that says the documentation comes from Wikipedia (because Wikipedia uses [[wikipedia:Wikipedia:Text of Creative Commons Attribution-ShareAlike 3.0 Unported License|CC-BY-SA 3.0]] which says our copied text must be under CC-BY-SA 3.0 ''and'' attribute Wikipedia and her editors. I can write the text for license template. Any ideas? Any opposition? If not, I'll begin in a few days. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 00:04, 5 January 2014 (UTC)<br />
:I don't see why not. That's what I've seen done on other wikis. — '''[[User:Spydar007|<span style="color:#ff5a00;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:orange;">(Talk)</span>]]''' 16:56, 18 January 2014 (UTC)<br />
<br />
== Category Security Researchers==<br />
Hi all! i've created the category Security Researchers in order to cut down on the pages categorized as hackers as it apparently needs to be more exclusive. i've been adding the less known or inactive hackers from the hacker page but have not removed them from the hackers page. I feel that it should be a vote on who gets removed from the hackers page so my first suggestion is [[User:Fallensn0w]] as he has been inactive for a very long time and didn't do a lot in the first place. --[[User:Ph0enix|Ph0enix]] ([[User talk:Ph0enix|talk]]) 15:57, 22 February 2014 (UTC)<br />
<br />
== Email notifications? ==<br />
Is it possible to get emailed when a watchlist page changes? I'd love that feature. [[wikipedia:mw:Manual:Configuration settings#Email notification (Enotif) settings|This looks relevant]]. --[[User:Beej|beej]] ([[User talk:Beej|talk]]) 08:02, 27 June 2014 (UTC)<br />
<br />
== Ambiguous names ==<br />
I feel like the names for [[Symlinks]] and [[Symbolic Link Vulnerability]] is a bit too ambiguous. Now, I don't anticipate there being much confusion, particularly since nobody really cares about 1.x anymore, but I would like to make the distinction clearer. I think both articles should be renamed, but I have no idea on what to rename them to (or even if you guys approve). I thought of using the CVE ID, but Apple doesn't provide one for [[Symlinks]] (or even any indication that they fixed it). ([[Symbolic Link Vulnerability]] was assigned CVE-2013-5133.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:51, 2 July 2014 (UTC)<br />
:They are referred to as the Symbolic Link by people like MuscleNerd and iH8sn0w so, in my opinion, they should be kept as their current names. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 18:06, 2 July 2014 (UTC)<br />
::I don't mind if one of them keeps their current name, but there should be something to make the distinction clearer. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 01:13, 3 July 2014 (UTC)<br />
<br />
== IRC Channel on Freenode ==<br />
Howdy iphonewiki folks, I have #theiphonewiki registered on freenode, and am ready to have people come in (it's been ages since this idea has been brought up). Shall we open it? I'd like to get some ops in there to help out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 05:48, 6 July 2014 (UTC)<br />
<br /><br />
I think we should make an IRC channel for this wiki. It can be either #theiphonewiki or #iphonewiki on freenode. The channel would be used for discussions, such as the TLC of the Jailbreak page for example. It would make getting things sorted a lot easier, since we could just ping each other different ideas. I know this idea was made before, but the channel never really got anywhere. What do you guys think of this idea? We would need to decide who has founder, op and voice etc. on the channel here. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 06:58, 6 July 2014 (UTC)<br />
: This is idiotic. You just want to do it yourself cause you want power. We won't help you feed your ego. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
:: You have never edited on this wiki in your life before so STFU. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:48, 7 July 2014 (UTC)<br />
: Being that I own #theiphonewiki, the original channel in which the wiki's channel was going to be on, I have control over who's moderating the channel. One op will be me, I have 3+ years of IRC moderation experience (To be honest, Is this even CV worthy? :P) we can choose the other operators when the channel becomes somewhat popular. ps. Why make two topics for this? --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:03, 6 July 2014 (UTC)<br />
:: That most definitely is CV worthy. I've seen Spydar007 moderate a channel, it crashed in a week or so. Not to mention the channel wasn't even his, and he kinda took it over anyway. --[[User:Goeo|goeo_]] ([[User talk:Goeo|talk]]) 19:43, 6 July 2014 (UTC)<br />
::No, no, no. The community decides. Juts because Farahtwiggy asked you to register it before, doesn't mean you get to be an op there now. This was my idea (Dialexio can vouch). You have no control over who are ops there. {{unsigned|Spydar007|04:11, July 6, 2014 (UTC)}}<br />
::: One "no" is enough. Farah, really, doesn't have much (if anything) to do with this, the channel was registered a year ago. Your childish response above does not show me that you can handle owning the channel, nor do the rumors of you abusing channel control in your personal channel. It's really not your idea, it may have just now come to your mind, but adaminsull and I have gone through this whole deal before (one year ago). Join me on #theiphonewiki if you'd like to chat this out. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 08:22, 6 July 2014 (UTC)<br />
::::I don't know what's happening off of the wiki so I might only have part of the picture. I definitely don't see Haifisch as trying to steal credit for this idea, which actually was brought up about ages ago. I'm not much of an IRC guy, so my opinion might not have that much weight for a lot of this discussion, but I feel that the channel would be better in Haifisch's hands given his experience. Ownership/management/whatever for the IRC channel should certainly be open for discussion though. I really don't care too much about whoever gets to run it, as long as the person is someone that the community knows, respects, and trusts. (Same goes for the channel ops.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 17:42, 6 July 2014 (UTC)<br />
:It does not sound like a good idea to have an IRC channel for this wiki. It is useful for discussion of this wiki's articles to continue to be be done publicly on the wiki (on the appropriate talk pages), so that everyone interested in the wiki can easily contribute to the discussion, and so that there is a well-organized public record of discussions that we can all easily refer to. IRC channels are also very fertile breeding grounds for social conflicts and unhappiness (as we've seen already), which is helpful to skip. In any case, this should be discussed at [[The iPhone Wiki:Community portal]] instead of here - this page is for discussing modifications to the Main Page, and that one is for general discussions about TheiPhoneWiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:46, 7 July 2014 (UTC)<br />
<br />
== Moving to Canada ==<br />
I'm moving this server in the next few days to a quality server in Canada. It'll be running inside a VM, so I'll also look into giving admins more access. Hopefully the periodic outages will stop. Maybe I'll add some SSL certs. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]])<br />
:Nice, thanks! HTTPS would be great. --[[User:Britta|Britta]] ([[User talk:Britta|talk]]) 21:08, 14 August 2014 (UTC)<br />
::So we're not in canada yet?--[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 20:32, 30 August 2014 (UTC)<br />
You should all be in Canada now, with 8&nbsp;GiB of Canadian RAM. We also have [https://theiphonewiki.com/wiki/Main_Page HTTPS], but it avoids the [[wikipedia:Squid (software)|Squid proxy]]. It's fine for people making edits but I don't plan on changing the default anytime soon. --[[User:Geohot|geohot]] ([[User talk:Geohot|talk]]) 04:43, 2 September 2014 (UTC)<br />
:Yay! Thanks as always George! Any plans on adding back SSH? There's a few things I'd love to have done. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 21:40, 2 September 2014 (UTC)<br />
::Thanks [[User:Geohot|geohot]]! Hopefully now there will be less downtime ;p --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 07:41, 3 September 2014 (UTC)<br />
:Sweeeeeeeet. :D --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 15:16, 3 September 2014 (UTC)<br />
<br />
==iPhone serial cable==<br />
Could somebody document how to use uart cable (i.e. setup, bitrate, ...) ? Some intructions are available at [http://www.instructables.com/id/Apple-iOS-SerialUSB-Cable-for-Kernel-Debugging/ instructables]. Can two iPhones' serial inputs be connected to each other (i.e. TX of 1st iPhone to RX of 2nd and RX of first to TX of second) and minicom used on one of them to connect to /dev/uart.iap such that no USB to 3.3V TTL (FT232RL in the link) would be needed provided that you already have multiple iDevices with dock connector {{unsigned|Danzatt|10:57, 15 September, 2014}}<br />
<br />
Bringing this topic back up, I've developed an open source package for iPhone (30pin) serial that doesn't used the PodBreakout that has been discontinued for a while now. Would it be alright to document how to setup/use the boards here? I'm just unsure if this is the appropriate place for it. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 03:45, 2 May 2015 (UTC)<br />
<br />
:[[User:Haifisch]], that sounds fine to me - it's iPhone-related, which is the the theme of this wiki. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:53, 14 May 2015 (UTC)<br />
<br />
== Original iPad mini name ==<br />
Seeing as we use (at least mostly) "iPhone" instead of "iPhone 2G" and "iPod touch" instead of "iPod touch 1G", I feel we should change how we reference the original iPad mini. The reason for adding the "1G" was because of the name conflict between pages. But we could probably fix that by moving [[iPad mini 1G]] to, say, [[iPad mini (first generation)]]. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 03:04, 17 October 2014 (UTC)<br />
:Sounds good to me. "iPad mini (1st generation)" is fine, but for the sake of length I would go with either "iPad mini" or "iPad mini 1." --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:27, 17 October 2014 (UTC)<br />
::Agreed. "iPad mini" would follow the other 1st generation devices page. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 04:56, 17 October 2014 (UTC)<br />
:::I also think this is a good idea because of how Apple is listing it like that too. I would say use "iPad mini". Another thought I did have is that it might confuse people with [[iPad mini]] and making them think that it is the page to list all the mini's. To correct this, I would suggest [[iPad mini (1st Generation)]] and roll that out across iPod touch, iPad and iPhone too. Just thought I'd put that out there to see what others think. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:14, 19 October 2014 (UTC)<br />
::::I feel "iPad mini (1st Generation)" is too long. "iPad mini" is fine IMO. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 05:30, 20 October 2014 (UTC)<br />
:::::Except that "[[iPad mini]]" already exists. It's the overview page for the iPad mini, just as [[iPad]] is for iPads, [[iPhone]] for iPhones, and [[iPod touch]] for iPod touches. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:06, 20 October 2014 (UTC)<br />
::::::If we do this, I suggest doing it for iPad, iPhone and iPod touch too. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 20:43, 20 October 2014 (UTC)<br />
:::::::I disagree. I like the usage of "iPod touch 2G", "iPod touch 3G", etc. Sure, drop the "1G" from the original iPad and iPod touch (and "2G" from the original iPhone), but don't change anything else. Unless we can come up with something other than "[[iPad mini (1st generation)]]", we should use that though. However, I don't like that title as it would look inconsistent with other devices. Wikipedia uses the parentheses to separate pages that would have the same name, but are about different topics. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 22:06, 20 October 2014 (UTC)<br />
::::::::The only problem is that we can't use [[iPad mini]] for it's current purpose and the first generation. I would also suggest anything that is changed would be consistent throughout all of the devices. That is why I liked the [[iPad mini (1st generation)]] idea but then again, would not be good if it is not like that for all devices. I like [[iPad mini (1st generation)]] because it is how Wikipedia lists it and to be honest, it avoids confusion. There is one other idea I can think of but not sure I even like it that much, [[iPad mini (original)]]. This again should be for iPad, iPod touch and iPhone if we do this. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:35, 20 October 2014 (UTC)<br />
<br />
== Mobile Stylesheet == <!-- Don't move this to archive as can be used for anyone to add suggestions for changes on mobile. --><br />
I was thinking recently, if [[User:Geohot|geohot]] agrees to accept it, that I could make a mobile.css file in order to attempt to make a few changes to the site on mobile. This would make it so that it would not be so ugly and if possible, the text might be easier to read. What would everyone think about this? For one thing, I'd like to mobile the "Log out" off the black part of the screen and put it near the "Contributions" button or thereabout. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:37, 7 January 2015 (UTC)<br />
:Instead of a mobile stylesheet to hack up the skin more (like the <code>ios6</code> and <code>ios7</code> skins do), I would create a whole new skin. I could write the PHP and JavaScript, and you can write the CSS. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 17:04, 7 January 2015 (UTC)<br />
::If you mean a skin just for mobile, that would be ok but not sure how you could make it selectable with a mobile device but not on desktop. If you could do this, it could work but personally I think a mobile.css would be easier since it has to be previewed in the iOS simulator (that's the way I do it). I couldn't say I'd edit a page without being an admin (unless it's made that I could). --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 17:35, 7 January 2015 (UTC)<br />
::I was going to mention that MediaWiki includes a sorta-mobile theme called Chick, but it seems that's [https://gerrit.wikimedia.org/r/#/q/Ia6d73c2deb9428d2,n,z long gone]. MW's changed a lot since I used it, but the way it worked was it subclassed MonoBook (so there was no need to duplicate the HTML template) and swapped its CSS for its own ([https://upload.wikimedia.org/wikipedia/mediawiki/f/f6/Dantman-Skin-chick.png screenshot]).<br>Come to think of it, whoa, I even wrote my own skin called [https://github.com/kirb/iWiki iWiki]. Was never updated for MW 1.17, which made breaking changes to the skin API. I probably won't have the time to update it, but maybe someone else could? [[User:Thekirbylover|kirb]] ([[User talk:Thekirbylover|talk]]) 09:01, 8 January 2015 (UTC)<br />
:I think this is a great idea, since this is actually a wiki about mobiles. No idea why it hasn't been done already. — '''[[User:Spydar007|<span style="color:black;">Spydar007</span>]] [[User talk:Spydar007|<span style="color:gray;">(Talk)</span>]]''' 15:17, 8 January 2015 (UTC)<br />
::| There is a mobile pluggin for Media Wiki that will make it look very nice [[User:Mwoolweaver|MWoolweaver]] ([[User talk:Mwoolweaver|talk]]) 07:22, 1 February 2015 (UTC)<br />
:::I completed this a while ago but forgot to comment about it. If anyone has any improvement requests, feel free to list them and I'll take a look. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Apple Watch ==<br />
I've added the [[Apple Watch]] using that page to most devices. I was thinking this morning that it should be moved to [[Apple Watch 1]] an have [[Apple Watch]] as a page like [[iPhone]] etc but then thought that I'd wait to see if there is a second generation some time and if there is, move it then. What does everyone think? I don't mind either way but wanted others opinions. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:07, 24 April 2015 (UTC)<br />
<br />
== Bite-sized editing tasks ==<br />
<br />
It seems fun to make a list of relatively easy useful edits that new editors can do who are interested in helping, maybe at [[The iPhone Wiki:Bite-sized editing tasks]] or a similar page, and link it from the homepage here. I'd include the following as a start:<br />
<br />
* Look at the list at [[Special:LonelyPages]] and figure out whether some of those pages should be linked within other pages on the wiki, and then go link them.<br />
* Check the links at [[Useful Links]] and remove broken/outdated sites and add relevant new sites (but don't spam your own stuff).<br />
* The iOS version table at [[SHSH]] should be listed in reverse-chronological order, with newest versions first instead of oldest versions first.<br />
* If you run into a scam site, add it to the table at [[Scam Jailbreaks and Unlocks]].<br />
* If you're reading an article and some part of it is confusing to you, post a message on the "talk" page (click the "Discussion" tab at the top of the article) explaining your question or what you found confusing, so that other editors can use this as a suggestion for improving the article.<br />
<br />
Ideas? Opinions? [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:31, 14 May 2015 (UTC)<br />
<br />
== How to report problems ==<br />
<br />
I saw people concerned on Twitter about the skin! Like iAdam1n said on Twitter, saurik just got a copy of the settings, images, and database from geohot and put them into a new site with an upgraded version of MediaWiki; he's asking geohot for a copy of the skin files. In general if you see problems or have requests for new extensions or other changes, it's totally fine to post them here and I'll see them and ask saurik to check it out. If something is more immediate and doesn't need discussion (like something missing, major errors, mysterious downtime, etc.), you can PM me or saurik on IRC (his IRC server is best, irc.saurik.com). Maybe good to post here too in those cases (if the site isn't down at the time) so other people know he's been alerted. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 18:44, 14 May 2015 (UTC)<br />
<br />
More about how to report more immediate problems (or problems that require some level of privacy, such as a major security issue or "Britta has gone rogue") - if you don't use IRC, emailing me is also fine (britta@saurikit.com). Emailing saurik (saurik@saurik.com) won't be seen as quickly, but if you write a meaningful subject line (like "TheiPhoneWiki is giving error 403 upon login right now" or "Britta is putting glitter sparkle GIFs all over TheiPhoneWiki"), it'll likely be seen. Moving to a new server/admin can have some adjustment bumps but they can be fixed! [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 03:03, 15 May 2015 (UTC)<br />
<br />
== SSL Problems ==<br />
<br />
Maybe SSL is not fully/officially supported (yet), but there are a few issues that should get fixed:<br />
*SSL3 is enabled and must be turned off (POODLE attack)<br />
*weak signature: make sure to get SHA2 when you renew certificate (current one expires 4 Sept 2015)<br />
*RC4 cipher is accepted, please disable<br />
*PFS not always preferred cipher, for example when using IE10 on Win7<br />
Thanks!<br />
--[[User:Http|http]] ([[User talk:Http|talk]]) 20:27, 14 May 2015 (UTC)<br />
<br />
:OK, saurik worked on this and it should be fine now other than that the current certificate from geohot is SHA1. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 08:54, 15 May 2015 (UTC)<br />
<br />
::Excellent, thanks! If you want to improve even further, consider HSTS and maybe HPKP too. But I'm happy already now. --[[User:Http|http]] ([[User talk:Http|talk]]) 12:17, 15 May 2015 (UTC)<br />
<br />
== Apple internal content on the Wiki ==<br />
<br />
I want to know what people think about having internal content on the Wiki. Some of the current content definitely needs some cleaning up and general editing. Should we publish information about internal firmwares? And is it okay to upload pictures of prototypes? Feel free to ask more questions. --[[User:Srb21103|Srb21103]] ([[User talk:Srb21103|talk]]) 05:08, 18 May 2015 (UTC)<br />
<br />
:Looking through [[The iPhone Wiki:Ground rules]], it says "No posting of copyrighted material. Anything that could legally get us in trouble should not be posted, ever." I'm not sure what other precedent here has been. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 10:31, 18 May 2015 (UTC)<br />
<br />
== JailbreakCon mini-talks ==<br />
<br />
Hi wiki people! I'm working on gathering people to do mini-talks (5-10 minutes) for [[JailbreakCon]] in June in San Francisco, and it would be cool to have some more people speaking who contribute to the community in ways other than tweak development. Work other than development is important work too, such as documentation. If anyone who has put some effort into improving TheiPhoneWiki can attend and would like to give a mini talk about working on the wiki, let me know via [http://www.jailbreakcon.com/#contact the contact form on the site]. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 00:35, 26 May 2015 (UTC)<br />
<br />
== [[File System Crypto]] ==<br />
<br />
I just added Zdziarski's blog to the wiki (with his permission). I would recommend to take this apart and make multiple sub-articles, like an article for [[BAGI]], another one for [[Dkey]], etc. and on the page [[File System Crypto]] itself, just write the overview, similar to what we have on page 16 of the Sogeti document (wasn't there a newer graphic somewhere?) with some short description. --[[User:Http|http]] ([[User talk:Http|talk]]) 22:11, 9 June 2015 (UTC)<br />
<br />
== Video links about internal [[Factory Firmware]] ==<br />
It is okay and safe from troubles to put YouTube video links about internal [[Factory Firmware]] in the dedicated page, to see how those changed through iOS versions ? Those videos are https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5). --[[User:ShadowLee19|ShadowLee19]] ([[User talk:ShadowLee19|talk]]) 09:22, July 12, 2015}}<br />
<br />
: I don't see a problem, as I've talked to [[User:EverythingApplesPro|EverythingApplesPro]] and confirmed that the prototypes were obtained legally. However, you should probably email him and ask him, since those are his videos. Also, someone else might have a different opinion, so please don't rely on my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 4:42 pm, 12 July 2015, Sunday (9 days ago) (UTC−4) <br />
<br />
:: I will ask [[User:EverythingApplesPro|EverythingApplesPro]] before add his videos links. I'm still confused about "legally obtained". The two first videos, https://www.youtube.com/watch?v=hWgs1r4LEgQ (iOS 4) and https://www.youtube.com/watch?v=sghs_gICQUU (iOS 5) are made and uploaded by me, but devices used aren't prototypes, internal or factory devices. They are production ones which I've restored an internal [[Factory Firmware]] using Limera1n BootROM exploit. Devices are of course legally obtained, but it's hard to say for internal factory firmware bundles, because I got them from someone, who got them from someone, who got them from someone and so. I don't know how they have been leaked, in a legal way or not. I doubt about how all those prototypes, factory devices or internal software could be "legally obtained", unless on is packed by accident in a legally bought box in an Apple store or any other retail store. That's the main reason why I'm asking this question before put YouTube video links about internal devices and software. It is even okay and safe from troubles to upload videos on YouTube about those internal devices and software ? I would like to be 100% sure, I don't want me and or TheiPhoneWiki to get in trouble for that. --ShadowLee19<br />
<br />
::: There really isn't a legal way to obtain prototypes without being an Apple Employee with very very specific permissions to have it. I would bet money that his devices he has are just like production devices but they have not been restored to a production firmware, instead they have been restored with the factory unit testing firmware (e.g., NonUI, and whatnot) and were never flashed to stock before leaving the factory. I would be '''very''' surprised if any real prototypes got out after the Gizmodo leak, they have since improved on locking down those devices internally. Just because the serial number isn't a production serial doesn't mean it's a prototype, serials are very easy to change by modifying the SysCfg. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 7:18 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:: I'm sorry, this is another case where I skim over links and think they are all the same. I've verified an iPhone 6 that was from Verizon. I must have thought they were all on te same iPhone 6. I agree with both Haifisch and Britta. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 7:33 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
:It seems fine to me to link to them, since they're publicly available on the web; no permission required for that sort of thing. Most pages have an "External links" section at the bottom, which is nice for adding links to off-wiki resources. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 5:15 pm, 12 July 2015, Sunday (9 days ago) (UTC−4)<br />
<br />
== Using "Beta" instead of "b" for Beta Firmwares ==<br />
I've been thinking for some time that we should really be using "Beta" instead of just "b" in beta firmwares. An example would be change "9.1b3" to "9.1 Beta 3". This is how Wikipedia does it and I much rather this because it is clearer IMO. What does everyone else think? Although this would be a lot of work converting all the entries, I'm willing to do it if nobody objects. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 19:46, 3 October 2015 (UTC)<br />
:I said this on Twitter, but I don't really care if this change is made. Personally, I prefer the "b," but using "Beta" would look fine. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
::If nobody disagrees, I'll start on Wednesday, 7th October. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:28, 4 October 2015 (UTC)<br />
:I have no problem with this except for [[Beta Firmware]] and [[Firmware Keys]]. Changing those from "b" to "beta" would take up too much space. Also, I'd prefer "beta" be lowercased, but that's just me. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:06, 4 October 2015 (UTC)<br />
::I don't actually think it would take up too much space since it's only an extra 5 characters per iOS. "Beta" or "beta" doesn't matter really, I don't mind with or without a capital. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 23:15, 4 October 2015 (UTC)<br />
:::Yeah, nevermind. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 23:22, 4 October 2015 (UTC)<br />
::::As far as I can tell (this is actually hard to find where used without checking all pages but checked the most obvious), this is now complete. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:20, 22 October 2015 (UTC)<br />
<br />
== -AP idenifiers ==<br />
As we all know (hopefully), the wiki has used lowercase letters for the "-AP" device identifiers (e.g. n90ap, p101ap). I would like to rename all instances to use the proper case— that is, the first letter and "AP" are capitalized (e.g. N90bAP, P101AP, N72AP). Does everyone else approve of this? I recall discussing this a while back and the decision was to use/keep lowercase letters, but seeing something like "k93aap" looks weird when Apple uses "K93aAP" in most areas, save for firmware file names. --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 03:28, 4 October 2015 (UTC)<br />
:I've always wanted to use the correct naming like this proposal so I'd be more than happy for the change. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 06:23, 4 October 2015 (UTC)<br />
::This has now been completed. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 10:07, 16 October 2015 (UTC)<br />
<br />
== iOS 9.1 beta 4 build number? ==<br />
Apparently the build number for iOS 9.1 beta 4 on the wiki is 13B5136, but the number shown on my iPod touch 6G is 13B136. Can anyone else confirm this on their device before making any changes to the wiki?<br />
--[[User:Tp1194045441|Tp1194045441]]([[User talk:Tp1194045441|talk]]) 21:26, 6 October 2015 (UTC)<br />
:The 5 is just a false number to get people from beta 3 to beta 4 via OTA. You have the developer IPSW real version. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 21:57, 6 October 2015 (UTC)<br />
<br />
== The iPhone Wiki SEO ==<br />
I checked the page's SEO score and is pretty low. As I'm a webmaster and I work in Web design, I can help with SEO for this community, for FREE. I would like to hear the opinion of one of the admins. --[[User:GeoSn0w|GeoSn0w]]([[User talk:GeoSn0w|talk]]) 21:26, 10 October 2015 (UTC)<br />
:Out of curiosity, what do you feel could be changed? (I know nothing about SEO) --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:54, 17 October 2015 (UTC)<br />
<br />
== San Francisco banner ==<br />
I like the current, Myriad Set Pro-based banner. However, I started thinking that it'd probably be better to typeset "The iPhone Wiki" in San Francisco instead, since that's what Apple's using in iOS. I came up with two variations for font weight, and then with and without a period at the end. (It's not needed/warranted, but I thought it added a nice extra touch.) If this sounds good, which variation do you think looks best? [https://pbs.twimg.com/media/CRaQh9PVAAAvfRP.png:large [A<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9JEUcAECyzU.png:large [B<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9VTU8AA8Q6X.png:large [C<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRcy9ehXIAE7AM2.png:large [D<nowiki>]</nowiki>] [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>] --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 16:04, 16 October 2015 (UTC)<br />
:I really like A. However, C is a runner up. It kinda depends on which part we are focusing on most. Are we focusing on iDevices, or a Wiki more? For that, I have no answer. Of course, that's just my opinion. --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 02:38, 17 October 2015 (UTC)<br />
:Nice! However, for number B, the period's font weight is a bit too heavy. Was it bolded? --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 06:53, 17 October 2015 (UTC)<br />
::I like this idea and would choose either A or B. I don't personally mind which of those are used. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 08:55, 17 October 2015 (UTC)<br />
::B's period actually uses the regular font weight (same as "iPhone"). I was thinking that it looked a little too heavy too… So I came up with [https://pbs.twimg.com/media/CRjjvhkWIAER4ao.png:large [E<nowiki>]</nowiki>]. (Also, I know the mockups have varying font sizes. Don't read too much into that; I'll match the font size with the current banner when we decide on a variation.) --[[User:Dialexio|Dialexio]] ([[User talk:Dialexio|talk]]) 23:29, 17 October 2015 (UTC)<br />
<br />
== Changing [[Apple TV]], [[iPad]], [[iPad mini]], [[iPhone]] and [[iPod touch]] ==<br />
I'd like to propose that we changes these pages to [[List of Apple TVs]], [[List of iPads]], [[List of iPad minis]], [[List of iPhones]] and [[List of iPod touches]] as this would be better and more correct. This would also free up [[iPad mini]] for [[iPad mini 1G]] so we could be consistent and drop the "1G" as none of the other devices that use "1G" on this wiki. I'd be prepared to do it all so nobody woud have to do anything (unless you want to of course). I'll go ahead and start this on Thursday, 12th November if nobody has any objections. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:30, 9 November 2015 (UTC)<br />
:This is has been completed apart from talk topics and user pages in which the author should fix those. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 11:59, 14 November 2015 (UTC)</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=49831Malware for iOS2015-11-21T19:21:31Z<p>Britta: removing extra line</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
=== Youmi Ad SDK (October 2015) ===<br />
<br />
This advertising SDK, mostly used by Chinese App Store developers, [https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html was discovered by SourceDNA] to be abusing private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines, including the list of apps installed on a device, serial numbers of a device and internal components, and user's Apple ID email address. Youmi exploited a weakness in App Store review process and evaded detection by obfuscating private API calls using simple string manipulation. 256 apps with estimated 1 million downloads were found to be affected, including the official Chinese McDonald's app.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=48818Malware for iOS2015-10-13T06:42:24Z<p>Britta: noting muda</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
=== Muda (October 2015) ===<br />
<br />
Muda (also called AdLord), [https://twitter.com/claud_xiao/status/653606471876263936 discussed by Claud Xiao], is a form of adware for jailbroken devices. It has been in the wild at least since October 2013. He writes "It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted. "<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Misuse_of_enterprise_and_developer_certificates&diff=48757Misuse of enterprise and developer certificates2015-10-11T18:34:39Z<p>Britta: noting YiSpecter</p>
<hr />
<div>There is some distribution of apps outside the App Store using enterprise certificates and developer certificates, which allows those apps to be installed on non-jailbroken iOS devices. Using this to distribute apps to the public violates Apple's developer agreements and can get those certificates revoked by Apple.<br />
<br />
[https://developer.apple.com/programs/ios/enterprise/ Getting an enterprise certificate costs $299/year] and requires a phone call with Apple to verify that you have a real company and are using the certificate for a legitimate purpose; after you have one, you can use it to distribute the app to unlimited numbers of devices, since it's intended for companies that want to distribute an internal app to lots of employees. There is speculation that misused enterprise certificates sometimes come from companies that got the certificates from Apple for a seemingly-legitimate purpose, then mysteriously "went out of business" and started up again using the enterprise certificates for shadier purposes.<br />
<br />
Some apps used expired enterprise certificates that required the user to set the device's time back to a certain date (before the profile was revoked) before installing the app, called the "date trick". The ability to use expired profiles like that [http://venturebreak.com/2014/10/18/ios-8-1-kills-movie-box-unapproved-apps-use-date-trick/ was fixed with iOS 8.1] in October 2014. In April 2015, [http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-iphones/ people released an app] that can be installed with an expired enterprise certificate if the device is in airplane mode (no internet connection), with the help of a tool on a desktop computer since the device can't access the internet at that point to download the app.<br />
<br />
It's not known how often iOS checks after installation to see whether an enterprise certificate has been revoked (which then means you can't use the app anymore unless you have a trick for reinstalling it) - it seems to be "once in a while".<br />
<br />
Related, there are also people who sell access to normal iOS developer certificates, which allow you to self-sign apps to install them on non-jailbroken iOS devices, meant for developers working on apps. [https://developer.apple.com/programs/ios/ These certificates cost $99/year from Apple] (and anyone can get one), and each certificate can be associated with 100 devices, so people sometimes sell some of those "UDID slots".<br />
<br />
== Uses and risks ==<br />
<br />
People misuse certificates to distribute pirated App Store apps to non-jailbroken iOS devices. There are various piracy sites and tools that distribute cracked App Store apps that have been re-signed using certificates.<br />
<br />
People also misuse certificates to distribute apps that aren't allowed on the App Store (usually apps that Apple considers to have copyright problems, such as game emulators and movie piracy tools) to non-jailbroken devices. Game emulators themselves are [https://en.wikipedia.org/wiki/Video_game_console_emulator#United_States legal software in the US], but Apple considers them associated with copyright infringement probably because people can pirate ROMs for games (although [https://web.archive.org/web/20130831191147/http://www.gamefaqs.com/features/help/entry.html?cat=24 it is legal to dump your own ROMs from games you own]). Websites such as [http://www.iosemulatorspot.com/ iOSEmulatorSpot] use this method to redistribute emulators and other free apps developed by other people that can't be distributed on the App Store (mostly because of copyright problems), mostly without permission from the app authors.<br />
<br />
Misuse of certificates has also been part of jailbreaking tools, and it can be used by malicious people as part of malware (see [[malware for iOS]]).<br />
<br />
Research papers about security risks and threats related to enterprise certificate distribution:<br />
<br />
* [https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell "Apple without a shell – iOS under targeted attack"], by Tao Wei, Min Zheng, Hui Xue, and Dawn Song - Virus Bulletin Conference, September 2014<br />
* [http://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/ASIACCS15.pdf "Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates"], by Min Zheng, Hui Xue, Yulong Zhang, Tao Wei, and John C.S. Lui - ASIA CCS'15, April 2015<br />
<br />
== Examples ==<br />
<br />
=== Zeusmos and KuaiYong (January 2013) ===<br />
<br />
[http://thenextweb.com/apple/2013/01/01/low-down-dirty-iphone-app-pirates/ "New services bypass Apple DRM to allow pirated iOS app installs without jailbreaking on iPhone, iPad"] (TheNextWeb, January 2013): "It’s unclear exactly how Zeusmos achieves its goal, but judging from the pricing and the correlation between UDIDRegistrations, it appears to utilize a developer licensing certificate to install ‘cracked’ apps which have had their DRM (copy protection) stripped."<br />
<br />
=== KuaiYong (April 2013) ===<br />
<br />
[http://www.forbes.com/sites/emmawoollacott/2013/04/19/when-criminals-exploit-apples-own-app-distribution-system-what-hope-is-there-of-stamping-out-piracy/ "When Criminals Exploit Apple's Own App Distribution System, What Hope Is There Of Stamping Out Piracy?"] (Forbes, April 2013): "Remarkably, the site is powered by Apple’s own enterprise app distribution system, designed to allow large organizations to provide internal apps to staff. What KuaiYong has done is buy one license and then distribute apps to its customers on the pretext that they’re the company’s own staff."<br />
<br />
[http://www.examiner.com/article/chinese-website-allows-pirating-of-ios-apps-no-jailbreaking-required "Chinese website allows pirating of iOS apps, no jailbreaking required"] (Examiner, April 2013): "[Kuaiyong] uses Apple's own enterprise app deployment technology."<br />
<br />
=== GBA4iOS and MacBuildServer (July 2013) and GBA4iOS 2.0 (February 2014) ===<br />
<br />
[http://rileytestut.com/blog/2013/08/06/the-biggest-beta-test-in-ios-history/ "The Biggest Beta Test in iOS History"] (Riley Testut, August 2013): "As you can probably guess, MacBuildServer was using the Enterprise Distribution method to allow installation on non-jailbroken devices. Because GBA4iOS was open-sourced on Github, MacBuildServer was able to download a copy of the code to its servers, compile it into an app, and then distribute it under their own Enterprise Certificate...Apple did what it could to stop this: they revoked MacBuildSever’s enterprise certificate. While it initially seemed that this meant no more downloads of GBA4iOS, it has since been discovered that setting an iOS’ device date to before July 16 (the day Apple revoked the certificate) allows users to download the app again, and after the download they are free to set the date back to the current date. Unfortunately, this is far from a permanent solution, as once in a while iOS checks to see whether the certificate is valid, and if it finds it isn’t, GBA4iOS will no longer open, forcing the user to set their device’s date back again."<br />
<br />
[http://readwrite.com/2013/07/17/apple-slams-the-door-on-super-mario "Apple Slams The Door On Super Mario"] (ReadWrite, July 2013): "'Yesterday someone from Apple called to Serge, our founder, and noticed that [the] enterprise certificate registered to our company was[sic] been used violating Apple’s agreements.'"<br />
<br />
[http://rileytestut.com/blog/2014/10/07/gba4ios-is-dead-long-live-gba4ios/ "GBA4iOS Is Dead. Long Live GBA4iOS"] (Riley Testut, October 2014): "Sure enough, less than thirty minutes (!!) after we released GBA4iOS 2.0, Apple revoked our new certificate once again, but all that did was force people to set the date back to install the app; an inconvenience for sure, but far easier than jailbreaking the device. We’ve continued to update the app since, and it’s survived several iOS updates since then – such as 7.1 and 8.0 – none of which have prevented the Date Trick from working. Of course, that ends with iOS 8.1 when it is released later this month."<br />
<br />
=== Pangu (June 2014) and Pangu8 (October 2014) ===<br />
<br />
[[Pangu]] and [[Pangu8]] use an expired enterprise certificate to help inject the jailbreak, which is removed after the jailbreak is complete.<br />
<br />
[http://www.idownloadblog.com/2014/06/24/ios-7-1-1-jailbreak-uses-expired-enterprise-certificate-loophole/ "iOS 7.1.1 jailbreak uses expired enterprise certificate loophole"] (iDownloadBlog, June 2014): "According to his tweets, MuscleNerd says that the most unique part of the Pangu jailbreak is that it uses an expired enterprise certificate as an injection vector. He adds that enterprise certificates are something that have been out of bounds for the iPhone Dev Team, due to legal reasons, but he is glad that this method was used rather than the Pangu team burning through something more native and powerful."<br />
<br />
[http://blog.pangu.io/jailbreak-should-not-tolerate-regional-discrimination/ "Jailbreak Should not Tolerate Regional Discrimination"] (Pangu Team, March 2015): "In Pangu 7 and Pangu 8, we leveraged expired enterprise certificates to initial the jailbreaking process. We are very glad that some of jailbreak fans donated their own expired enterprise certificates to us. On the other hand, an enterprise certificate only costs a few hundreds dollars . We do not see any reason to steal an enterprise certificate."<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
Misuse of certificates can also be part of malware.<br />
<br />
[http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ "WireLurker: A New Era in OS X and iOS Malware"] (Palo Alto Networks, November 2014): "Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning"<br />
<br />
[https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf The Palo Alto Networks research paper about WireLurker] has a lot of detail about its use of enterprise certificates, including:<br />
<br />
<blockquote>"The use of enterprise provisioning explains how these applications can be installed on non-jailbroken iOS devices. Yet, on the first attempt to run a WireLurker application on iOS, users are presented with a dialog requesting confirmation to open a third-party application (Figure 16). If the user chooses to continue, a third-party enterprise provisioning profile will be installed and WireLurker will have successfully compromised that non-jailbroken device. Furthermore, users are typically none the wiser, since the application otherwise operates just like the legitimate version."</blockquote><br />
<br />
<blockquote>"The use of enterprise provisioning to install applications on non-jailbroken devices is not a new concept. This technique has been widely abused by game fans and a number of Chinese application distribution platforms. Since January 2013, there have been at least five Mac/PC tools that have abused enterprise provisioning and the libimobiledevice library to install pirated applications on non-jailbroken devices in China: “PP Helper”(PP助手), “KuaiYong Helper”(快用助手), “91 Mobile Helper”(91手机助手), “KuaiZhuang”(快装) and “SouApple”(搜苹果). It is noteworthy that the “PP Helper” application is also downloaded and installed by WireLurker."</blockquote><br />
<br />
<blockquote>"In September 2014, Tao Wei et al presented at Virus Bulletin on the risk of abusing Apple’s enterprise distribution program. According to their research, any application can bypass Apple review, arbitrarily invoke private iOS APIs, monitor user behavior and exploit vulnerabilities in a non-jailbroken iOS device by leveraging an enterprise provisioning profile. WireLurker is a prime example of how this is no longer a theoretical risk, but an active threat as seen in the wild."</blockquote><br />
<br />
[https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html "Masque Attack: All Your iOS Apps Belong to Us"] (FireEye, November 2014): "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation."<br />
<br />
=== Popcorn Time (April 2015) ===<br />
<br />
[http://torrentfreak.com/popcorn-time-releases-jailbreak-free-ios-app-150407/ "Popcorn Time releases iOS app tomorrow, no jailbreak needed"] (TorrentFreak, April 7, 2015): "'All a user will need to do to get Popcorn Time on a non jailbroken iOS device is to download the ‘iOS installer’ to his desktop computer, connect his iOS device to the computer with a USB cable, and then just follow simple instructions that will download the app on the iOS device.'"<br />
<br />
[http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-iphones/ "How Popcorn Time’s Piracy App Is Sneaking Onto iPhones"] (Wired, April 8, 2015): "But the iOS Installer developer does hint that its workaround exploits 'the ability Apple gives to enterprises to install apps on their workers devices.' To those familiar with Apple’s security measures, that sounds like Popcorn Time is using Apple’s iOS Developer Enterprise Program...The Popcorn-Time.se developer confirmed in an email that the team is in fact using revoked or expired enterprise certificates for the installation, though it’s not exactly clear how merely putting the phone into airplane mode can trick it into accepting those old and invalid certificates."<br />
<br />
=== 25PP (June 2015) ===<br />
<br />
25PP is an app marketplace similar to KuaiYong, including pirated apps.<br />
<br />
[http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-iphone-jailbreak-industry/ "Of Ma And Malware: Inside China's iPhone Jailbreaking Industrial Complex"] (Forbes, June 26, 2015): "And yet Alibaba’s 25pp marketplace doesn’t need the phone to be unlocked to install on iOS. It flouts Apple security rules in other ways. FORBES has learned the store breaks Apple policy by using an Enterprise Certificate to install itself on users’ phones. These certificates are supposed to be used by businesses to disseminate bespoke apps within the confines of the corporate network and are strictly not for commercial use. Apple could simply revoke the certificate, but it would be easy for Alibaba’s subsidiary to obtain a new one and start breaking the rules all over again. Apple and Alibaba’s inertia is more surprising when one considers what’s on 25pp, namely a lot of pirated software that rip off American creations."<br />
<br />
=== Hacking Team (July 2015) ===<br />
<br />
[[Hacking Team]] is a company that sells surveillance tools and services to governments and law enforcement agencies, and some of their tools use a valid enterprise certificate to aid installing them on a target device.<br />
<br />
[http://www.macworld.com/article/2944712/hacking-team-hack-reveals-why-you-shouldnt-jailbreak-your-iphone.html "Hacking Team hack reveals why you shouldn't jailbreak your iPhone"] (MacWorld, July 6, 2015): "Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software."<br />
<br />
[https://twitter.com/esizkur/status/618338087035379712 Tweet by @esikur (Ralf (RPW))] (July 7, 2015): "Just did an OCSP check: Apple has revoked HT's enterprise certificate. (Reason: keyCompromise, Revocation Time: Jul 7 03:38:10 2015 GMT)"<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with enterprise certificates.<br />
<br />
[http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ "YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs"] (Palo Alto Networks, October 4, 2015): "YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server...Previously, the malware WireLurker demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates, and academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. However, YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=User:Britta&diff=48704User:Britta2015-10-11T05:38:10Z<p>Britta: updating</p>
<hr />
<div>I'm [https://twitter.com/brittagus @brittagus], and I worked for SaurikIT from March 2011 to September 2015, on projects including supporting this wiki.<br />
<br />
Some articles that I've contributed to and try to maintain as reasonably accurate: [[Bricked]], [[JailbreakCon]], [[Cydia Errors]], [[Scam Jailbreaks and Unlocks]], [[Open Source Jailbreaking Tools]], [[Up to Speed]], [[Misuse of enterprise and developer certificates]], [[Tethered jailbreak]], [[GID Key]], [[Hacking Team]], [[Malware for iOS]].</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=48703Malware for iOS2015-10-11T05:33:32Z<p>Britta: mentioning YiSpecter</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
=== YiSpecter (October 2015) ===<br />
<br />
YiSpecter, [http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ also discussed by Palo Alto Networks], is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with [[Misuse of enterprise and developer certificates|enterprise certificates]]. Palo Alto Networks says "On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server."<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Account_creation&diff=47982The iPhone Wiki:Account creation2015-09-22T08:02:47Z<p>Britta: (removing myself from this list at least for now)</p>
<hr />
<div>The following wiki [{{FULLURL:Special:ListUsers|group=sysop}} administrators] would be happy to set up a wiki account for you. Just send one of them a note saying that you'd like an account on TheiPhoneWiki, and include your preferred username and email address.<br />
<br />
== [[User:5urd|5urd]] ==<br />
From [[User:5urd]]: "If you would like an account, please contact me by email only; any other method will be ignored. Be sure to include your name and the username you request in the email, otherwise I will ignore your request."<br />
* '''[mailto:coleharrisjohnson@gmail.com E-mail]'''<br />
<br />
== [[User:Dialexio|Dialexio]] ==<br />
I will only fulfill account creation requests via an email to the following email address. Requests sent via any other method (such as Twitter) may be rejected without notice.<br />
<br />
You do not need to provide a password (this will actually be ignored since the system will automatically generate one), but '''you must provide a username'''.<br />
<br />
<!--This is meant to look extremely unreadable. Do not link this email address or attempt to clean this up.--><br />
* '''Email:''' <<span>D</span>i<i id="whoami" style="display:none; visibility:hidden; display:inline; font-style:normal; visibility:visible;">alex</i><ins style="text-decoration:none; font-style:italic; text-decoration:none; font-style:normal; display:inline;">io</ins>.<b id="dva" style="display:inline !important; font-weight:inherit; text-decoration:none;">tsu</b>ku<span id="dogface" style="display:inline; display:none;"><b style="display:inline !important;">&nbsp;&#64;&nbsp@&nbsp;&#64;&nbsp;&#64;&nbsp;</b></span><small style="font-size:inherit;">t</small>te<span style="display:block; display:inline; display:none;">antispam</span>&#64;<span style="display:inline; color:#ff0; display:none;">go</span>o<b style="display:block; display:block; visibility:hidden; display:none; visibility:hidden;"><span style="display:none; display:none !important;">gle </span>+yahoomail</b>ut<span id="where" style="display:block; display:none; display:inline; visibility:visible;">look</span><span style="display:none;">.com.com.</span><div style="display:block; position:absolute; top:0px; left:20%; display:none; color:red;">com><</div>.co<span style="display:none; display:none;">.uk </span><del style="text-decoration:none;">m</del>><br />
<br />
Please remove this email address from your contacts after sending a request; I don't want any invites to Dropbox, LinkedIn, or whatever.<br />
<br />
== [[User:http|http]] ==<br />
Contact me on Twitter for a new account to this wiki.<br />
* [https://www.twitter.com/SwissHttp Twitter: SwissHttp]<br />
<br />
== [[User:kirb|kirb]] ==<br />
Email me at '''[mailto:adam+iphonewiki@hbang.ws?subject=The%20iPhone%20Wiki%20Account%20Request adam+iphonewiki@hbang.ws]''' with your desired username. The wiki will email you a temporary password. <br />
<br />
== [[User:iAdam1n|iAdam1n]] ==<br />
* [mailto:adaminsull@me.com?subject=The%20iPhone%20Wiki%20Account%20Request Email]<br />
* [https://twitter.com/iAdam1n Twitter]<br />
<br />
If you want an account, please list the username you want and the email address you want to use on the wiki. It will email you a temporary password.<br />
<br />
__NOTOC__</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47963Malware for iOS2015-09-19T20:51:21Z<p>Britta: /* XCodeGhost (September 2015) */ fixing capitalization</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XcodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47945Malware for iOS2015-09-19T07:46:24Z<p>Britta: /* Tools found in the wild that target the public */ adding XCodeGhost</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html first reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
=== XCodeGhost (September 2015) ===<br />
<br />
XcodeGhost is a form of malware that was found in some unofficial redistributions of Xcode targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China). XcodeGhost infects apps compiled with those versions of Xcode, which included at least 39 apps published in the iOS App Store. Palo Alto Networks published a series of posts about it: [http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ original post explaining it], [http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ a list of additional infected apps on the App Store], [http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ more about its capabilities]. It adds code that can upload device and app information to a central server, create fake iCloud password signin prompts, and read and write from the copy-and-paste clipboard.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Main_Page&diff=47741Main Page2015-09-10T19:28:39Z<p>Britta: adding list of "bad stuff" with links to Malware for iOS, Misuse of enterprise and developer certificates, Scam Jailbreaks and Unlocks (feel free to retitle section list)</p>
<hr />
<div>[[File:Iptwiki.png|center]]<br />
<div class="center" style="font-size: 20pt">[[The_iPhone_Wiki:Changing Ownership|Under New Ownership]]</div><br />
{{:Main Page/Welcome}}<br />
<br />
== Jailbreak Status ==<br />
{| class="wikitable" style="font-size:1em; width:100%;"<br />
|-<br />
! style="height:3em;" | [[Models|Device]]<br />
! [[Apple Watch]]<br />
! [[Apple TV 3G]]<br />
! [[iPad 2]] and up<br />
! [[iPad mini 1G]] and up<br />
! [[iPhone 4S]] and up<br />
! [[iPod touch 5G]] and up<br />
|-<br />
! style="height:3em;" | Latest [[firmware]]<br />
| 1.0.1/8.2.1 <small>(12S632)</small><br />
| 7.2/8.3 <small>(12F69)</small><br />
| colspan="5" | 8.4.1 <small>(12H321)</small><br />
|-<br />
! style="height:3em;" | Jailbreak available?<br />
| colspan="7" {{no}}<br />
|}<br />
<small>For older devices and versions, see [[Jailbreak]].</small><br />
<br />
{| style="width:100%"<br />
|-<br />
| style="width:50%; text-align:left; vertical-align:text-top;" | <br />
== Software ==<br />
* [[Apple Internal Apps]]<br />
* [[:Category:File Formats|File formats]]<br />
* [[/|Filesystem]]<br />
* [[Firmware]]<br />
** [[Beta Firmware]]<br />
** [[Factory Firmware]]<br />
** [[OTA Updates]]<br />
* [[iTunes]]<br />
** [[iTunes Errors]]<br />
** [[iTunes Modes]]<br />
** [[MobileDevice Library]]<br />
* [[Keys]]<br />
** [[AES Keys]]<br />
** [[CERT|Apple Certificate]]<br />
** [[Baseband RSA Keys|RSA Keys]]<br />
** [[Baseband TEA Keys|TEA Keys]]<br />
** [[Firmware Keys]]<br />
*** [[Decrypting Firmwares]]<br />
** [[GID Key]]<br />
** [[NCK]]<br />
* [[Protocols]]<br />
** [[Baseband Bootrom Protocol]]<br />
** [[DFU (Protocol)|DFU]]<br />
** [[Interactive Mode|Baseband Bootloader Protocol]]<br />
** [[Normal Mode]]<br />
** [[Recovery Mode (Protocols)|Recovery Mode]]<br />
** [[Restore Mode]]<br />
* [[System Log|System Log (syslog)]]<br />
<br />
==== [[:Category:Jailbreaks|Jailbreak Software]] ====<br />
* [[Absinthe]]<br />
* [[blackra1n]]<br />
* [[Corona]]<br />
* [[evasi0n]]<br />
* [[evasi0n7]]<br />
* [[Geeksn0w]]<br />
* [[Greenpois0n (jailbreak)|greenpois0n]]<br />
* [[JailbreakMe]]<br />
* [[limera1n]]<br />
* [[p0sixspwn]]<br />
* [[Pangu]]<br />
* [[Pangu8]]<br />
* [[PPJailbreak]]<br />
* [[purplera1n]]<br />
* [[PwnageTool]]<br />
* [[redsn0w]]<br />
* [[Rocky Racoon]]<br />
* [[Seas0nPass]]<br />
* [[sn0wbreeze]]<br />
* [[Spirit]]<br />
* [[TaiG]]<br />
* [[unthredera1n]]<br />
<br />
==== [[:Category:Patches|Patches]] ====<br />
* [[Kernel Patches|Kernel]]<br />
** [[AMFI Binary Trust Cache Patch]]<br />
** [[PE i can has debugger Patch]]<br />
** [[Sandbox Patch]]<br />
** [[Vm map enter Patch]]<br />
** [[Vm map protect Patch]]<br />
* [[:Category:Ramdisk Patches|Ramdisk]]: [[ASR]]<br />
<br />
==== [[:Category:Exploits|Vulnerabilities and Exploits]] ====<br />
* [[0x24000 Segment Overflow]] (24kpwn)<br />
* [[BPF STX Kernel Write Exploit]]<br />
* [[CVE-2013-0964]]<br />
* [[HFS Heap Overflow]]<br />
* [[HFS Legacy Volume Name Stack Buffer Overflow]] (feedface)<br />
* [[Incomplete Codesign Exploit]]<br />
* [[IOSurface Kernel Exploit]]<br />
* [[Limera1n Exploit]]<br />
* [[Malformed CFF Vulnerability]]<br />
* [[MobileBackup Copy Exploit]]<br />
* [[ndrv_setspec() Integer Overflow]]<br />
* [[Packet Filter Kernel Exploit]]<br />
* [[Racoon String Format Overflow Exploit]]<br />
* [[SHA-1 Image Segment Overflow]] (SHAtter)<br />
* [[usb_control_msg(0x21, 2) Exploit]]<br />
* [[usb_control_msg(0xA1, 1) Exploit]] (steaks4uce)<br />
* [[Symbolic Link Vulnerability]]<br />
<br />
====Various Software====<br />
* [[Cydia.app|Cydia]]<br />
* [[EDA]]<br />
* [[iDroid]]<br />
* [[iFaith]]<br />
* [[iPhone Tracker]]<br />
* [[SemiRestore]]<br />
* [[SemiRestore7]]<br />
* [[SemiRestore8]]<br />
* [[Sund0wn]]<br />
* [[TinyUmbrella]]<br />
<br />
====Bad stuff====<br />
* [[Malware for iOS]]<br />
* [[Misuse of enterprise and developer certificates]]<br />
* [[Scam Jailbreaks and Unlocks]]<br />
<br />
| style="width:50%; text-align:left; vertical-align:text-top;" | <br />
== Hardware ==<br />
==== Devices ====<br />
{{see also|Models|Prototypes}}<br />
* [[iPhone]]<br />
** iPhone ([[m68ap]])<br />
** iPhone 3G ([[n82ap]])<br />
** iPhone 3GS ([[n88ap]])<br />
** [[iPhone 4]] ([[n90ap]], [[n90bap]], [[n92ap]])<br />
** iPhone 4S ([[n94ap]])<br />
** [[iPhone 5]] ([[n41ap]], [[n42ap]])<br />
** [[iPhone 5c]] ([[n48ap]], [[n49ap]])<br />
** [[iPhone 5s]] ([[n51ap]], [[n53ap]])<br />
** iPhone 6 ([[n61ap]])<br />
** iPhone 6 Plus ([[n56ap]])<br />
** iPhone 6s<br />
** iPhone 6s Plus<br />
* [[iPod touch]]<br />
** iPod touch ([[n45ap]])<br />
** iPod touch 2G ([[n72ap]])<br />
** iPod touch 3G ([[n18ap]])<br />
** iPod touch 4G ([[n81ap]])<br />
** [[iPod touch 5G]] ([[n78ap]], [[n78aap]])<br />
** iPod touch 6G ([[n102ap]])<br />
* [[iPad]]<br />
** iPad ([[k48ap]])<br />
** [[iPad 2]] ([[k93ap]], [[k94ap]], [[k95ap]], [[k93aap]])<br />
** [[iPad 3]] ([[j1ap]], [[j2ap]], [[j2aap]])<br />
** [[iPad 4]] ([[p101ap]], [[p102ap]], [[p103ap]])<br />
** [[iPad Air]] ([[j71ap]], [[j72ap]], [[j73ap]])<br />
** [[iPad Air 2]] ([[j81ap]], [[j82ap]])<br />
** [[iPad Pro]] ([[j98ap]], [[j99ap]])<br />
* [[iPad mini]]<br />
** [[iPad mini 1G]] ([[p105ap]], [[p106ap]], [[p107ap]])<br />
** [[iPad mini 2]] ([[j85ap]], [[j86ap]], [[j87ap]])<br />
** [[iPad mini 3]] ([[j85map]], [[j86map]], [[j87map]])<br />
** [[iPad mini 4]] ([[j96ap]], [[j97ap]])<br />
* [[Apple TV]]<br />
** Apple TV 2G ([[k66ap]])<br />
** [[Apple TV 3G]] ([[j33ap]], [[j33iap]])<br />
** Apple TV 4G ([[j42dap]])<br />
* [[Apple Watch]]<br />
** 38mm ([[n27aap]])<br />
** 42mm ([[n28aap]])<br />
<br />
==== [[Application Processor]]s ====<br />
* [[S5L8900]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], [[n82ap|iPhone 3G]])<br />
* [[S5L8720]] ([[n72ap|iPod touch 2G]])<br />
* [[S5L8920]] ([[n88ap|iPhone 3GS]])<br />
* [[S5L8922]] ([[n18ap|iPod touch 3G]])<br />
* [[S5L8930]] A4 ([[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]], [[k66ap|Apple TV 2G]])<br />
* [[S5L8940]] A5 ([[iPad 2]], [[n94ap|iPhone 4S]])<br />
* [[S5L8942]] A5 Rev A ([[j33ap|Apple TV 3G]], [[k93aap|iPad 2 (iPad2,4)]], [[iPod touch 5G]], [[iPad mini 1G]])<br />
* [[S5L8945]] A5X ([[iPad 3]])<br />
* [[S5L8947]] A5 Rev B ([[j33iap|Apple TV 3G (AppleTV3,2)]])<br />
* [[S5L8950]] A6 ([[iPhone 5]], [[iPhone 5c]])<br />
* [[S5L8955]] A6X ([[iPad 4]])<br />
* [[S5L8960]] A7 ([[iPhone 5s]], [[iPad mini 2]], [[iPad mini 3]])<br />
* [[S5L8965]] A7 Variant ([[iPad Air]])<br />
* [[T7000]] A8 ([[n61ap|iPhone 6]], [[n56ap|iPhone 6 Plus]], [[n102ap|iPod touch 6G]])<br />
* [[T7001]] A8X ([[iPad Air 2]])<br />
* [[S7002]] ([[Apple Watch]])<br />
<br />
==== [[Baseband Device]]s ====<br />
* [[S-Gold 2|PMB8876 or S-Gold 2]] ([[m68ap|iPhone]])<br />
* [[X-Gold 608|PMB8878 or X-Gold 608]] ([[n82ap|iPhone 3G]], [[n88ap|iPhone 3GS]], [[k48ap|iPad (3G Variant)]])<br />
* [[XMM6180|XMM6180 or X-Gold 618]] ([[iPhone 4]] ([[n90ap|iPhone3,1]] and [[n90bap|iPhone3,2]]), [[k94ap|iPad 2 (iPad2,2)]])<br />
* [[MDM6600]] ([[n92ap|iPhone 4 (iPhone3,3)]], [[k95ap|iPad 2 (iPad2,3)]])<br />
* [[MDM6610]] ([[n94ap|iPhone 4S]])<br />
* [[MDM9600]] ([[iPad 3]])<br />
* [[MDM9615]] ([[iPhone 5]], [[iPad 4]], [[iPad mini 1G]], [[iPhone 5c]], [[iPhone 5s]], [[iPad Air]], [[iPad mini 2]])<br />
* [[MDM9625]] ([[n61ap|iPhone 6]], [[n56ap|iPhone 6 Plus]], and [[iPad Air 2]])<br />
<br />
==== [[Motion Coprocessor]]s ====<br />
* [[LPC18A1]] M7 ([[iPhone 5s]], [[iPad Air]], [[iPad mini 2]], [[iPad mini 3]])<br />
* [[LPC18B1]] M8 ([[n61ap|iPhone 6]], [[n56ap|iPhone 6 Plus]], [[iPad Air 2]], [[n102ap|iPod touch 6G]])<br />
<br />
==== WLAN/[[Bluetooth]] ====<br />
* [[Marvell 88x8686]]<br />
* [[BlueCore 4]]<br />
* [[BlueCore 6]]<br />
* [[BCM4325]]<br />
* [[BCM4329]]<br />
* [[BCM4330]]<br />
* [[BCM4334]]<br />
* [[BCM4335]]<br />
<br />
==== NFC ====<br />
* [[NXP PN548]]<br />
<br />
==== [[Compass.app|Compass]] ====<br />
* [[AKM8973]]<br />
* [[AKM8975]]<br />
* [[AK8963]]<br />
<br />
==== Other ====<br />
* [[Accelerometer]]<br />
* [[Gyroscope]]: [[AGD1 2022 FP6AQ]]<br />
* Connectors: [[30-pin Connector|30-pin]], [[Lightning Connector|Lightning]]<br />
|}<br />
<br />
{| style="width:100%"<br />
|-<br />
| style="width:50%; text-align:left; vertical-align:text-top;" | <br />
== Development ==<br />
==== [[:Category:Hackers|iPhone Hackers]] ====<br />
* [[User:chpwn|chpwn]]<br />
* [[User:comex|comex]]<br />
* [[User:geohot|geohot]]<br />
* [[User:iH8sn0w|iH8sn0w]]<br />
* [[User:MuscleNerd|MuscleNerd]]<br />
* [[pimskeks]]<br />
* [[User:planetbeing|planetbeing]]<br />
* [[User:pod2g|pod2g]]<br />
* [[User:posixninja|posixninja]]<br />
* [[saurik]]<br />
* [[User:winocm|winocm]]<br />
<br />
==== iPhone Hacker Teams ====<br />
* [[Chronic Dev (team)|Chronic Dev]]<br />
* [[iPhone Dev Team]]<br />
* [[Dream Team]]<br />
* [[Evad3rs|evad3rs]]<br />
<br />
==== Application Development ====<br />
* [[Apple Certification Process]]<br />
* [[Bypassing iPhone Code Signatures]]<br />
* [[Distribution Methods]]<br />
* [[/System/Library/Frameworks|Frameworks]]<br />
* [[Misuse of developer certificates]]<br />
* [[MobileDevice Library]]<br />
* [[Mobile Substrate]]<br />
* [[Toolchain]] (Includes tutorials)<br />
* [[Toolchain 2.0]] (Includes tutorials)<br />
* [http://iphonedevwiki.net iPhoneDevWiki]<br />
<br />
==== Application Copy Protection ====<br />
* [[Application Structure and Signatures]]<br />
* [[Bugging Debuggers]]<br />
* [[Copy Protection Overview]]<br />
* [[Defeating Cracks]]<br />
* [[Mach-O Loading Process]]<br />
<br />
| style="width:50%; text-align:left; vertical-align:text-top;" | <br />
== Help ==<br />
==== Guides ====<br />
* [[Tutorials]]<br />
* [[Useful Links]]<br />
<br />
==== Definitions ====<br />
* [[Activation]] and [[Hacktivation]]<br />
* [[ASLR]]<br />
* [[Baseband Device|Baseband]]<br />
* [[Baseband Bootloader|Bootloader]]<br />
* [[Bootchain]]<br />
* [[Bootrom]] / [[VROM]]<br />
* [[Bricked]]<br />
* [[CHIPID]]<br />
* [[DFU Mode]]<br />
* [[Failbreak]]<br />
* [[iBEC]]<br />
* [[iBoot (Bootloader)|iBoot]]<br />
* [[iBSS]]<br />
* [[IMG3 File Format|IMG3]] tags<br />
** [[BORD]]<br />
** [[CERT]]<br />
** [[CHIP]]<br />
** [[CPID]]<br />
** [[DATA]]<br />
** [[ECID]]<br />
** [[KBAG]]<br />
** [[PROD]]<br />
** [[SDOM]]<br />
** [[SEPO]]<br />
** [[SHSH]]<br />
** [[TYPE]]<br />
** [[VERS]]<br />
* [[Jailbreak]]<br />
** [[Tethered jailbreak]]<br />
** [[Untethered jailbreak]]<br />
* [[Firmware downgrading]]<br />
** [[Tethered Downgrade]]<br />
* [[Kernel]]<br />
* [[launchd]]<br />
* [[LLB]]<br />
* [[NAND]]<br />
* [[NOR]]<br />
* [[NORID]]<br />
* [[Unlock]]<br />
* [[Userland]]<br />
|}<br />
__NOTOC____NOEDITSECTION__</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Talk:Main_Page&diff=47660Talk:Main Page2015-09-06T09:01:36Z<p>Britta: /* All of the Watch product images? */ consider copyright</p>
<hr />
<div>{{Talk Archive}}<br />
<br />
== Baseband Chip Page Titles ==<br />
For the baseband chip page titles, I think we should stick with the model number despite the marketing name. Pages:<br />
* [[S-Gold 2|PMB8876]] marketed "S-Gold 2"<br />
* [[X-Gold 608|PMB8878]] marketed "X-Gold 608"<br />
* [[XMM 6180]] marketed "X-Gold 618"<br />
* [[MDM6600]] (unknown marketing name)<br />
* [[MDM6610]] (unknown marketing name)<br />
* [[MDM9x00]] (unknown marketing name)<br />
--[[User:5urd|5urd]] 21:35, 8 May 2012 (MDT)<br />
:I'm leaning more towards the marketing names, since I think people are more familiar with them and they've been in use for a long time. We've always referred to the iPhone 2G's baseband as the "S-Gold 2" and the iPhone 3G/3GS's baseband as the "X-Gold 608." (By the way, it sounds like Qualcomm "markets" their chips by model number. [http://www.qualcomm.com/media/releases/2011/02/14/qualcomm-announces-commercial-availability-gobi3000-modules]) --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 00:11, 9 May 2012 (MDT)<br />
:I created most of these newer pages and always used the model number (without space). So I agree with that in general. Changing old ones is a totally different story though, where we need more consent. I would be for it (and create a redirect on the marketing names). --[[User:Http|http]] 01:52, 9 May 2012 (MDT)<br />
<br />
== Baseband downgrade possibility: Attempt for 04.11.08/04.12.01 to 04.10.01 ==<br />
'''0x1''' There is no downgrade possibility; according to the most basis of fact in how baseband works as explained by dear MuscleNerd and there is signature checks as well as bootloader's chain of trust that I'm not going to repeat them again, but for this topic I start from iTunes error 1,-1,11 <br />
<br />
'''0x2''' iTunes error 1,-1,11 :<br />
We will get this error whenever we want to do something with BB which is not allowed by apple. you can read about these error in detail from here[http://theiphonewiki.com/wiki/index.php?title=ITunes_Errors].<br />
Going deeper, this error raise by baseband's bootloader whenever you attempt to downgrade BB (in this case), this happens inside the NOR so this is why we can not exploit it easily from the outside.<br />
Another reason for this error (and in here the most important one that I wanted to discuss) is that apple no longer signing that firmware.<br />
<br />
'''0x3''' The situation that there is no BB installed on iPhone! :<br />
I could restore my iPhone4 in the case of there will be no BB at all. I called it reset my BB. There will be no Wifi, no BT.<br />
At the first time (a few months since I've started to work on) I thought it is dead (as apple confirmed this also). But I could restore it only to stock firmware with the latest one.<br />
So for who stays in 04.11.08 it may lead to do upgrade to 04.12.01 permanently with the latest iOS, now is 5.1.1 and before for me was 5.0.1, so be sure what you are doing and then go to reset the BB.<br />
So back to the game, if there was no BB then there is no bootloeader inside the NOR to stuck BB update process but I do not know that in this case what happened to "sectable" also known as "locktable" which is the master accountable to unlock the carrier, any way I think so only firmware signature checking by apple will be remain in "restore verify process" by iTunes. because as mentioned earlier, "currentBB"(BB to be updated) is allowed to be update by "comingBB" (BB to be updating to) only if :<br />
1. "currentBB" < "comingBB" (= are you the most recent/lastest BB?)<br />
2. "comingBB" is now signing by apple (=if so, does apple sign you? Are you eligible?) <br />
Huum... What happens if "currentBB"="null/zero/no matter"? Could we eliminate option (1) from the security check above in this case? So what next?<br />
<br />
'''0x4''' Track back to the issue lead us inside the bbfw file (ICE3_04.11.08_BOOT_02.13.Release) which contains four .fls files inside, and the most important one is psi_flash.fls who is in charge of security checks before handover the routines to stack.fls which is responsible for updating the baseband. This file does like NOR bootloader but fortunately it's outside the device so it is accessible but not such easy format to be understand by programmers. They are raw ROM based images for XMM6180 chip, ARM based and programmed in Thread-X, but the compiler is unknown; I will write about some disassembly notes using ida pro 6.1; by the way I leave my iPhone with no BB trying to find out and break the trust chains in the above files in order to bypass the bootloader security checks which may let us to downgrade to 04.10.01 which is currently unlocked by Gevey.<br />
Keep in mind that if this solution works..., it will need the SHSH for downgrading the iOS firmware to do reset the BB.<br />
I heard that iPhoneDevTeam are going to release the new version of Redsn0w which there will be no need to restore by iTunes but I do not know if the baseband approaches supposed to be addressed or it will work like iFaith that is basically bypass (preserve) BB, any way if I found this article useful I will note about disassembly and possibility approach as well as BB reset to share with any followers.<br />
'''--[[User:Kambiz|Kambiz]] 07:49, 13 May 2012 (MDT)K.N'''<br />
<br />
== Bluetooth Chip on [[iPhone 5]] ==<br />
Is there any confirmation of the Bluetooth chip used in the iPhone 5? If there is, can we edit this page and add it? --[[User:5urd|5urd]] 10:04, 8 October 2012 (MDT)<br />
:Chipworks [http://www.chipworks.com/blog/recentteardowns/2012/10/02/apple-iphone-5-the-rf/ analyzed the iPhone 5's Murata Wi-Fi module] and determined it uses the [[BCM4334]]. I'll add it to the Main Page now. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 20:35, 8 October 2012 (MDT)<br />
<br />
== Adding vulnerability to main page ==<br />
The page [[CVE-2013-0964]] is currently orphaned. I think it would fit under the "Vulnerabilities and Exploits" subheading. Can someone with adequate permission make the change? [[User:0x56|0x56]] ([[User talk:0x56|talk]]) 03:52, 12 September 2013 (UTC)<br />
:Added. --[[User:Http|http]] ([[User talk:Http|talk]]) 00:53, 13 September 2013 (UTC)<br />
<br />
==Update for new devices==<br />
Somebody should update the main page (table) for the 5s and 5c --[[User:Phyrrus9|Phyrrus9]] ([[User talk:Phyrrus9|talk]]) 21:14, 2 October 2013 (UTC)<br />
:No need. It says "iPhone 4S and newer". --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 22:01, 2 October 2013 (UTC)<br />
<br />
==Permission==<br />
Permission to add pangu8? Or should we wait until a Cydia version comes out? --[[User:Awesomebing1|Awesomebing1]] ([[User talk:Awesomebing1|talk]]) 15:52, 22 October 2014 (UTC)<br />
:It has already been added and is fine IMO. I would state that it's SSH only though. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 16:22, 22 October 2014 (UTC)<br />
<br />
== All of the Watch product images? ==<br />
<br />
So I was looking for Apple product images and found this interesting [https://www.apple.com/shop/sitemaps/sitemap-buy-images.xml document] that has links to all of the (current) product images. Since the Apple Watch has so many models, editions, colors, etc., would it be worthwhile to upload all the images listed from the document? So far I've found [http://store.storeimages.cdn-apple.com/4711/as-images.apple.com/is/image/AppleInc/aos/published/images/w/42/w42ss/sbbk/w42ss-sbbk-detail this one]. (Apple Watch 42mm, Stainless Steel buckle) --[[User:Citrusui|Citrusui]] ([[User talk:Citrusui|talk]]) 18:01, 5 September 2015 (UTC)<br />
<br />
:It's not a great idea to upload images from Apple's website in general, since they're copyrighted by Apple, unless you can make a decent argument that using a copyrighted image in a particular article is [https://en.wikipedia.org/wiki/Fair_use#Fair_use_under_United_States_law is fair use]. [[User:Britta|Britta]] ([[User talk:Britta|talk]]) 09:01, 6 September 2015 (UTC)</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47650Malware for iOS2015-09-04T23:55:27Z<p>Britta: /* NeonEggShell (August 2015) */ detail</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking. By default, the tool includes a "prompt that asks for permission before allowing any connection to the remote server."<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47649Malware for iOS2015-09-04T23:54:17Z<p>Britta: /* Tools developed as part of research */ adding another</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
=== NeonEggShell (August 2015) ===<br />
<br />
[http://neoneggplants.com/projects/neoneggshell/ NeonEggShell] is a command shell creation tool for iOS and OS X. The author says "This project is a proof of concept way to demon strate how easy it is to take over a whole device with a piece of code no bigger than a twitter post." The project includes tools for making payloads for jailbroken iOS, with features such as keylogging and location tracking.<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47643Malware for iOS2015-09-03T00:25:56Z<p>Britta: /* XARA attacks (June 2015) */ better phrasing</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. These XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app, [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described by the security researchers in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47642Malware for iOS2015-09-03T00:24:03Z<p>Britta: /* Tools developed as part of research */ adding another</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
=== XARA attacks (June 2015) ===<br />
<br />
Security researchers found methods for "cross-app resource access" (XARA) attacks on OS X and iOS, and they submitted malicious proof-of-concept apps to the Mac and iOS App Store. Apple approved the apps, and the researchers immediately removed them from the stores. The XARA attacks were ways of bypassing the sandboxes that are supposed to prevent an app from accessing files that don't belong to that app. The security researchers [https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view described their work in a paper]. [http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ Ars Technica article].<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47641Malware for iOS2015-09-02T23:42:12Z<p>Britta: /* Tools for sale to the public to target individuals */ adding another</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== 1mole ===<br />
<br />
[http://www.bosspy.com/user/iphoneos.aspx 1mole] is a spying tool available to the public via their own repository, authored by Bosspy. It describes itself [http://www.bosspy.com/user/default.aspx on its website] as "For Parents" ("Have your children going home after school? Consult their GPS position to be sure."), "For individuals" ("You think about your lost or stolen mobile phone."), and "For Employers" ("Install the software on your business phones and locate them in real time"). Its feature list includes "Track GPS locations" and "Capture the lock sreen passcode" for free, and "Record text messages", "Log Calls details", "Website monitoring", and "Keylogger" as paid services.<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken), authored by Flexispy, Ltd. Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
In May 2015, [http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/ mSpy had a customer data breach].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47640Malware for iOS2015-09-02T23:27:44Z<p>Britta: /* Inception (December 2014) */ editing</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link that says it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47639Malware for iOS2015-09-02T23:27:26Z<p>Britta: /* Inception (December 2014) */ clarity</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link saying that it's a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47638Malware for iOS2015-09-02T23:25:32Z<p>Britta: adding another</p>
<hr />
<div>This is a list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''You can help expand this article with more examples and details. To edit it, [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]].'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments (and similar) to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== Inception (December 2014) ===<br />
<br />
Inception is an "attack framework" from an unknown source that targets individuals to steal information, using phishing emails and other techniques along with malware for iOS and other mobile operating systems, described in [https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware this post by security researchers who identified it]. According to [http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B7f2dda62-f240-48dc-b05e-5cc620747b73%7D_bcs_wp_The_Inception_Framework_Cloud-Hosted_APT_EN_1d.pdf the whitepaper from those security researchers], a target may receive a phishing email with a link to a WhatsApp update, and if clicked on jailbroken iOS, it triggers "the download of a Debian installer package, WhatsAppUpdate.deb, also 1.2Mb in size. This application impersonates a Cydia installer, and can only be installed on a jailbroken phone" (page 23). It's unclear what they mean by "impersonates a Cydia installer", but a .deb file is the standard format for software packages installable via Cydia. The iOS malware collects the device's [[ICCID]], address book, phone number, MAC address, and other information.<br />
<br />
Another group of security researchers also identified this attack framework [http://www.cso.com.au/article/562325/sophisticated-malware-targets-execs-pcs-android-blackberry-ios-devices/ and called it Cloud Atlas].<br />
<br />
More articles: [http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak Apple Insider], [http://www.forbes.com/sites/thomasbrewster/2014/12/10/iphone-android-attacks-on-diplomats/ Forbes]. There is a sample download [http://contagiominidump.blogspot.de/2014/12/cloud-atlas-inception-ios.html available via this blog].<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Misuse_of_enterprise_and_developer_certificates&diff=47637Misuse of enterprise and developer certificates2015-09-02T22:21:28Z<p>Britta: links and editing/formatting</p>
<hr />
<div>There is some distribution of apps outside the App Store using enterprise certificates and developer certificates, which allows those apps to be installed on non-jailbroken iOS devices. Using this to distribute apps to the public violates Apple's developer agreements and can get those certificates revoked by Apple.<br />
<br />
[https://developer.apple.com/programs/ios/enterprise/ Getting an enterprise certificate costs $299/year] and requires a phone call with Apple to verify that you have a real company and are using the certificate for a legitimate purpose; after you have one, you can use it to distribute the app to unlimited numbers of devices, since it's intended for companies that want to distribute an internal app to lots of employees. There is speculation that misused enterprise certificates sometimes come from companies that got the certificates from Apple for a seemingly-legitimate purpose, then mysteriously "went out of business" and started up again using the enterprise certificates for shadier purposes.<br />
<br />
Some apps used expired enterprise certificates that required the user to set the device's time back to a certain date (before the profile was revoked) before installing the app, called the "date trick". The ability to use expired profiles like that [http://venturebreak.com/2014/10/18/ios-8-1-kills-movie-box-unapproved-apps-use-date-trick/ was fixed with iOS 8.1] in October 2014. In April 2015, [http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-iphones/ people released an app] that can be installed with an expired enterprise certificate if the device is in airplane mode (no internet connection), with the help of a tool on a desktop computer since the device can't access the internet at that point to download the app.<br />
<br />
It's not known how often iOS checks after installation to see whether an enterprise certificate has been revoked (which then means you can't use the app anymore unless you have a trick for reinstalling it) - it seems to be "once in a while".<br />
<br />
Related, there are also people who sell access to normal iOS developer certificates, which allow you to self-sign apps to install them on non-jailbroken iOS devices, meant for developers working on apps. [https://developer.apple.com/programs/ios/ These certificates cost $99/year from Apple] (and anyone can get one), and each certificate can be associated with 100 devices, so people sometimes sell some of those "UDID slots".<br />
<br />
== Uses and risks ==<br />
<br />
People misuse certificates to distribute pirated App Store apps to non-jailbroken iOS devices. There are various piracy sites and tools that distribute cracked App Store apps that have been re-signed using certificates.<br />
<br />
People also misuse certificates to distribute apps that aren't allowed on the App Store (usually apps that Apple considers to have copyright problems, such as game emulators and movie piracy tools) to non-jailbroken devices. Game emulators themselves are [https://en.wikipedia.org/wiki/Video_game_console_emulator#United_States legal software in the US], but Apple considers them associated with copyright infringement probably because people can pirate ROMs for games (although [https://web.archive.org/web/20130831191147/http://www.gamefaqs.com/features/help/entry.html?cat=24 it is legal to dump your own ROMs from games you own]). Websites such as [http://www.iosemulatorspot.com/ iOSEmulatorSpot] use this method to redistribute emulators and other free apps developed by other people that can't be distributed on the App Store (mostly because of copyright problems), mostly without permission from the app authors.<br />
<br />
Misuse of certificates has also been part of jailbreaking tools, and it can be used by malicious people as part of malware (see [[malware for iOS]]).<br />
<br />
Research papers about security risks and threats related to enterprise certificate distribution:<br />
<br />
* [https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell "Apple without a shell – iOS under targeted attack"], by Tao Wei, Min Zheng, Hui Xue, and Dawn Song - Virus Bulletin Conference, September 2014<br />
* [http://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/ASIACCS15.pdf "Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates"], by Min Zheng, Hui Xue, Yulong Zhang, Tao Wei, and John C.S. Lui - ASIA CCS'15, April 2015<br />
<br />
== Examples ==<br />
<br />
=== Zeusmos and KuaiYong (January 2013) ===<br />
<br />
[http://thenextweb.com/apple/2013/01/01/low-down-dirty-iphone-app-pirates/ "New services bypass Apple DRM to allow pirated iOS app installs without jailbreaking on iPhone, iPad"] (TheNextWeb, January 2013): "It’s unclear exactly how Zeusmos achieves its goal, but judging from the pricing and the correlation between UDIDRegistrations, it appears to utilize a developer licensing certificate to install ‘cracked’ apps which have had their DRM (copy protection) stripped."<br />
<br />
=== KuaiYong (April 2013) ===<br />
<br />
[http://www.forbes.com/sites/emmawoollacott/2013/04/19/when-criminals-exploit-apples-own-app-distribution-system-what-hope-is-there-of-stamping-out-piracy/ "When Criminals Exploit Apple's Own App Distribution System, What Hope Is There Of Stamping Out Piracy?"] (Forbes, April 2013): "Remarkably, the site is powered by Apple’s own enterprise app distribution system, designed to allow large organizations to provide internal apps to staff. What KuaiYong has done is buy one license and then distribute apps to its customers on the pretext that they’re the company’s own staff."<br />
<br />
[http://www.examiner.com/article/chinese-website-allows-pirating-of-ios-apps-no-jailbreaking-required "Chinese website allows pirating of iOS apps, no jailbreaking required"] (Examiner, April 2013): "[Kuaiyong] uses Apple's own enterprise app deployment technology."<br />
<br />
=== GBA4iOS and MacBuildServer (July 2013) and GBA4iOS 2.0 (February 2014) ===<br />
<br />
[http://rileytestut.com/blog/2013/08/06/the-biggest-beta-test-in-ios-history/ "The Biggest Beta Test in iOS History"] (Riley Testut, August 2013): "As you can probably guess, MacBuildServer was using the Enterprise Distribution method to allow installation on non-jailbroken devices. Because GBA4iOS was open-sourced on Github, MacBuildServer was able to download a copy of the code to its servers, compile it into an app, and then distribute it under their own Enterprise Certificate...Apple did what it could to stop this: they revoked MacBuildSever’s enterprise certificate. While it initially seemed that this meant no more downloads of GBA4iOS, it has since been discovered that setting an iOS’ device date to before July 16 (the day Apple revoked the certificate) allows users to download the app again, and after the download they are free to set the date back to the current date. Unfortunately, this is far from a permanent solution, as once in a while iOS checks to see whether the certificate is valid, and if it finds it isn’t, GBA4iOS will no longer open, forcing the user to set their device’s date back again."<br />
<br />
[http://readwrite.com/2013/07/17/apple-slams-the-door-on-super-mario "Apple Slams The Door On Super Mario"] (ReadWrite, July 2013): "'Yesterday someone from Apple called to Serge, our founder, and noticed that [the] enterprise certificate registered to our company was[sic] been used violating Apple’s agreements.'"<br />
<br />
[http://rileytestut.com/blog/2014/10/07/gba4ios-is-dead-long-live-gba4ios/ "GBA4iOS Is Dead. Long Live GBA4iOS"] (Riley Testut, October 2014): "Sure enough, less than thirty minutes (!!) after we released GBA4iOS 2.0, Apple revoked our new certificate once again, but all that did was force people to set the date back to install the app; an inconvenience for sure, but far easier than jailbreaking the device. We’ve continued to update the app since, and it’s survived several iOS updates since then – such as 7.1 and 8.0 – none of which have prevented the Date Trick from working. Of course, that ends with iOS 8.1 when it is released later this month."<br />
<br />
=== Pangu (June 2014) and Pangu8 (October 2014) ===<br />
<br />
[[Pangu]] and [[Pangu8]] use an expired enterprise certificate to help inject the jailbreak, which is removed after the jailbreak is complete.<br />
<br />
[http://www.idownloadblog.com/2014/06/24/ios-7-1-1-jailbreak-uses-expired-enterprise-certificate-loophole/ "iOS 7.1.1 jailbreak uses expired enterprise certificate loophole"] (iDownloadBlog, June 2014): "According to his tweets, MuscleNerd says that the most unique part of the Pangu jailbreak is that it uses an expired enterprise certificate as an injection vector. He adds that enterprise certificates are something that have been out of bounds for the iPhone Dev Team, due to legal reasons, but he is glad that this method was used rather than the Pangu team burning through something more native and powerful."<br />
<br />
[http://blog.pangu.io/jailbreak-should-not-tolerate-regional-discrimination/ "Jailbreak Should not Tolerate Regional Discrimination"] (Pangu Team, March 2015): "In Pangu 7 and Pangu 8, we leveraged expired enterprise certificates to initial the jailbreaking process. We are very glad that some of jailbreak fans donated their own expired enterprise certificates to us. On the other hand, an enterprise certificate only costs a few hundreds dollars . We do not see any reason to steal an enterprise certificate."<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
Misuse of certificates can also be part of malware.<br />
<br />
[http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ "WireLurker: A New Era in OS X and iOS Malware"] (Palo Alto Networks, November 2014): "Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning"<br />
<br />
[https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf The Palo Alto Networks research paper about WireLurker] has a lot of detail about its use of enterprise certificates, including:<br />
<br />
<blockquote>"The use of enterprise provisioning explains how these applications can be installed on non-jailbroken iOS devices. Yet, on the first attempt to run a WireLurker application on iOS, users are presented with a dialog requesting confirmation to open a third-party application (Figure 16). If the user chooses to continue, a third-party enterprise provisioning profile will be installed and WireLurker will have successfully compromised that non-jailbroken device. Furthermore, users are typically none the wiser, since the application otherwise operates just like the legitimate version."</blockquote><br />
<br />
<blockquote>"The use of enterprise provisioning to install applications on non-jailbroken devices is not a new concept. This technique has been widely abused by game fans and a number of Chinese application distribution platforms. Since January 2013, there have been at least five Mac/PC tools that have abused enterprise provisioning and the libimobiledevice library to install pirated applications on non-jailbroken devices in China: “PP Helper”(PP助手), “KuaiYong Helper”(快用助手), “91 Mobile Helper”(91手机助手), “KuaiZhuang”(快装) and “SouApple”(搜苹果). It is noteworthy that the “PP Helper” application is also downloaded and installed by WireLurker."</blockquote><br />
<br />
<blockquote>"In September 2014, Tao Wei et al presented at Virus Bulletin on the risk of abusing Apple’s enterprise distribution program. According to their research, any application can bypass Apple review, arbitrarily invoke private iOS APIs, monitor user behavior and exploit vulnerabilities in a non-jailbroken iOS device by leveraging an enterprise provisioning profile. WireLurker is a prime example of how this is no longer a theoretical risk, but an active threat as seen in the wild."</blockquote><br />
<br />
[https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html "Masque Attack: All Your iOS Apps Belong to Us"] (FireEye, November 2014): "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation."<br />
<br />
=== Popcorn Time (April 2015) ===<br />
<br />
[http://torrentfreak.com/popcorn-time-releases-jailbreak-free-ios-app-150407/ "Popcorn Time releases iOS app tomorrow, no jailbreak needed"] (TorrentFreak, April 7, 2015): "'All a user will need to do to get Popcorn Time on a non jailbroken iOS device is to download the ‘iOS installer’ to his desktop computer, connect his iOS device to the computer with a USB cable, and then just follow simple instructions that will download the app on the iOS device.'"<br />
<br />
[http://www.wired.com/2015/04/popcorn-times-piracy-app-sneaking-onto-iphones/ "How Popcorn Time’s Piracy App Is Sneaking Onto iPhones"] (Wired, April 8, 2015): "But the iOS Installer developer does hint that its workaround exploits 'the ability Apple gives to enterprises to install apps on their workers devices.' To those familiar with Apple’s security measures, that sounds like Popcorn Time is using Apple’s iOS Developer Enterprise Program...The Popcorn-Time.se developer confirmed in an email that the team is in fact using revoked or expired enterprise certificates for the installation, though it’s not exactly clear how merely putting the phone into airplane mode can trick it into accepting those old and invalid certificates."<br />
<br />
=== 25PP (June 2015) ===<br />
<br />
25PP is an app marketplace similar to KuaiYong, including pirated apps.<br />
<br />
[http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-iphone-jailbreak-industry/ "Of Ma And Malware: Inside China's iPhone Jailbreaking Industrial Complex"] (Forbes, June 26, 2015): "And yet Alibaba’s 25pp marketplace doesn’t need the phone to be unlocked to install on iOS. It flouts Apple security rules in other ways. FORBES has learned the store breaks Apple policy by using an Enterprise Certificate to install itself on users’ phones. These certificates are supposed to be used by businesses to disseminate bespoke apps within the confines of the corporate network and are strictly not for commercial use. Apple could simply revoke the certificate, but it would be easy for Alibaba’s subsidiary to obtain a new one and start breaking the rules all over again. Apple and Alibaba’s inertia is more surprising when one considers what’s on 25pp, namely a lot of pirated software that rip off American creations."<br />
<br />
=== Hacking Team (July 2015) ===<br />
<br />
[[Hacking Team]] is a company that sells surveillance tools and services to governments and law enforcement agencies, and some of their tools use a valid enterprise certificate to aid installing them on a target device.<br />
<br />
[http://www.macworld.com/article/2944712/hacking-team-hack-reveals-why-you-shouldnt-jailbreak-your-iphone.html "Hacking Team hack reveals why you shouldn't jailbreak your iPhone"] (MacWorld, July 6, 2015): "Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software."<br />
<br />
[https://twitter.com/esizkur/status/618338087035379712 Tweet by @esikur (Ralf (RPW))] (July 7, 2015): "Just did an OCSP check: Apple has revoked HT's enterprise certificate. (Reason: keyCompromise, Revocation Time: Jul 7 03:38:10 2015 GMT)"<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47636Malware for iOS2015-09-02T22:09:39Z<p>Britta: linking Misuse of enterprise and developer certificates</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices (including via [[misuse of enterprise and developer certificates]]).<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47618Malware for iOS2015-09-01T21:59:05Z<p>Britta: /* Tools developed as part of academic research */ more precise</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47617Malware for iOS2015-09-01T21:58:11Z<p>Britta: /* Tools for sale to the public */ better title</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of academic research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public to target individuals ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47616Malware for iOS2015-09-01T21:30:58Z<p>Britta: /* Tools for sale to the public */ another one</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of academic research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== Copy10 ===<br />
<br />
[http://cydia.saurik.com/package/com.copy10.copy10/ Copy10] is a similar but separate spying tool available to the public via the ModMyi repository (a default repository), authored by IntelMobi/goldenspy. Their description includes "Are you having trust issues in your relationship? Sign that your kid's personality has changed and their behaviors, does your teenager hang out with friends you're concerned about? What if you believe one of your employees is a spy or is stealing company's technology, intellectual property or trade secrets?" [https://www.intelmobi.com/ IntelMobi website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47615Malware for iOS2015-09-01T21:06:54Z<p>Britta: adding nsa tool</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, isoftjsc, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== DROPOUTJEEP (December 2013) ===<br />
<br />
In December 2013, a conference presentation included information about a NSA tool called DROPOUTJEEP: [http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-reportedly-has-total-access-to-your-iphone/ "a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.”] The information was from an internal NSA software catalog from 2008. The presenter speculated that Apple had helped build this tool, and [http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ Apple said it "has never worked with the NSA to create a backdoor in any of our products"].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of academic research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47614Malware for iOS2015-09-01T20:56:21Z<p>Britta: sorting "Tools found in the wild" into "Tools found in the wild that target the public" and "Tools used by governments to target individuals"</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild that target the public ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools used by governments to target individuals ==<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47613Malware for iOS2015-09-01T20:46:54Z<p>Britta: /* Tools for sale to the public */ adding more</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== MobiStealth ===<br />
<br />
[http://www.mobistealth.com/iphone-spy MobiStealth] is a spying tool available to the public for both [http://www.mobistealth.com/iphone-spy jailbroken iOS] (presumably installed via their own repository) and [http://www.mobistealth.com/ios-non-jailbreak non-jailbroken iOS] ("All that you require is the Apple ID and password of the iPhone or iPad that you want to monitor to get remote access to"). Their website includes "Are your employees misusing company owned phones? Are your kids getting more possessed and do not want to share anything with you? Stop wondering and thinking all day long, Mobistealth iPhone spy app is exactly what you need."<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== StealthGenie ===<br />
<br />
StealthGenie was a spying tool available to the public [http://blog.flexispy.com/remove-stealthgenie-iphone-android/ via their own repository]. It also supported other mobile operating systems. In November 2014, the person who advertised and sold this product was [http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine charged with a federal crime and fined $500,000]. The charge was "sale of an interception device and advertisement of a known interception device", a wiretapping crime. [http://www.forbes.com/sites/kashmirhill/2014/09/30/stealthgenie-ugly-marketing-of-spyware/ A Forbes article] says "according to the FBI, Akbar and his team developed an internal business plan that revealed that — duh — the primary target audience for the app was people who thought their partners were cheating." The Forbes article points out [[#Mobile Spy]], [[#mSpy]], [[#FlexiSPY]], and [[#MobiStealth]] as similar products.<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47611Malware for iOS2015-09-01T17:36:08Z<p>Britta: adding link</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and [http://www.forbes.com/sites/sarahjeong/2014/10/28/surveillance-begins-at-home/ people spying on family members]), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47610Malware for iOS2015-09-01T16:12:09Z<p>Britta: /* Tools for sale to the public */ adding another</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and people spying on family members), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== iKeyMonitor keylogger ===<br />
<br />
[http://cydia.saurik.com/package/com.aw.mobile.ikm/ iKeyMonitor keylogger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Awosoft Technology. [http://ikeymonitor.com/ Its website] includes "How to monitor your children's cell phone to discover the truth and protect them from potential dangers? Now with iKeyMonitor you can uncover the truth by secretly monitoring mobile phones and tablets such as iPhone/iPad/iPod and Android device."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47609Malware for iOS2015-09-01T14:11:03Z<p>Britta: copyedit</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and people spying on family members), it's important to consider that ''the vulnerabilities in iOS that allow it to be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47608Malware for iOS2015-09-01T14:04:34Z<p>Britta: copyedit</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and people spying on family members), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47607Malware for iOS2015-09-01T14:03:48Z<p>Britta: more neutral</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and people spying on their family members), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47606Malware for iOS2015-09-01T13:30:59Z<p>Britta: adding another</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and stalkers), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
=== Jekyll (August 2013) ===<br />
<br />
At the USENIX Security Symposium in 2013, security researchers described a method for getting a malicious app approved for the App Store, [http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malware-apple-iphone-ipad-jekyll "created with remotely-exploitable vulnerabilities built in, masked by legitimate features to evade detection during the App Store approval process, but ready to be triggered once the app was installed on an iOS device."] They successfully got an app approved for the App Store with this method (which [http://arstechnica.com/security/2013/08/seemingly-benign-jekyll-app-passes-apple-review-then-becomes-evil/ "was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment"]).<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47605Malware for iOS2015-09-01T13:16:14Z<p>Britta: /* Tools for sale to the public */ more info</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field." [http://copy9.com/ Copy9 website].<br />
<br />
=== FlexiSPY ===<br />
<br />
[http://www.flexispy.com/en/iphone-tracker-spy-on-iphone.htm FlexiSPY] is a spying tool available to the public presumably via their own repository (this isn't specified on their website, but it's specified that you need the device to be jailbroken). Their website says "If you have a committed relationship with your partner or are responsible for a child or employee YOU HAVE A RIGHT TO KNOW To protect your relationship, spy on their iPhone."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool. [http://innovaspy.com/ InnovaSPY website].<br />
<br />
=== Mobile Spy ===<br />
<br />
[http://www.mobile-spy.com/iphone-v7.html Mobile Spy] is a spying tool available to the public via their own repository, authored by Retina-X Studios. [http://www.mobile-spy.com/ Their website] says "View your Child or Employee's Smartphone and Tablet Usage. Monitor text messages, GPS locations, call details, photos and social media activity. View the screen and location LIVE!"<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
The mSpy website [http://www.mspy.com/compatibility.html indicates that they also have a version for non-jailbroken devices].<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required." [http://en.ownspy.com/P000001-install-on-ios OwnSpy website].<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring." The [http://www.ioslinks.com/spykey/ SpyKey website] includes "Great use for parental control purposes, protect your kids from chating with strangers!", "Discover usernames & passwords", and "Spy unfaithfull husband or wife."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47604Malware for iOS2015-09-01T12:58:26Z<p>Britta: fixing intro</p>
<hr />
<div>This is an '''incomplete''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47603Malware for iOS2015-09-01T12:52:24Z<p>Britta: detail</p>
<hr />
<div>This is an '''incomplete draft''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device." These security researchers said it has over 225,000 stolen accounts in its database.<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47602Malware for iOS2015-09-01T12:50:27Z<p>Britta: clarification</p>
<hr />
<div>This is an '''incomplete draft''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these tools are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Brittahttps://www.theiphonewiki.com/w/index.php?title=Malware_for_iOS&diff=47601Malware for iOS2015-09-01T12:48:40Z<p>Britta: more context</p>
<hr />
<div>This is an '''incomplete draft''' list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. '''Please help expand this article with more examples and details! To edit it, you can [[The iPhone Wiki:Account creation|request an account on TheiPhoneWiki]] if you don't have one.'''<br />
<br />
The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out [https://www.reddit.com/r/jailbreak/wiki/howtoresearch this guide to making informed guesses about whether packages are reasonable to install].<br />
<br />
Some context: <br />
* Some of these tools targeted old iOS versions and do not work on current iOS versions.<br />
* Some of these are harmful and some are merely annoying.<br />
* Many of these require the device to be jailbroken, and some work on non-jailbroken devices.<br />
* Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.<br />
* Some of these are built to target specific people instead of the general public.<br />
* Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that ''the vulnerabilities in iOS that allow it be exploited with a jailbreak'' are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.<br />
<br />
For an earlier list of known malware, see [https://blog.fortinet.com/post/ios-malware-does-exist "iOS Malware Does Exist"] (June 2014).<br />
<br />
== Tools found in the wild ==<br />
<br />
=== iKee and Duh (November 2009) ===<br />
<br />
The [[Ikee-virus]] (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.<br />
<br />
Two weeks later, the similar [https://nakedsecurity.sophos.com/2009/11/23/lightning-strikes-iphone-malware-malicious/ Duh worm] spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."<br />
<br />
=== "Find and Call" (July 2012) ===<br />
<br />
Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: [https://securelist.com/blog/incidents/33544/find-and-call-leak-and-spam-57/ Kaspersky SecureList], [http://arstechnica.com/apple/2012/07/find-and-call-app-becomes-first-trojan-to-appear-on-ios-app-store/ Ars Technica], [https://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/ Sophos NakedSecurity]. It is also called FindCall.<br />
<br />
=== FinSpy Mobile (August 2012) ===<br />
<br />
FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite [https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/ includes spyware tools for many mobile operating systems, including iOS].<br />
<br />
=== Packages by Nobitazzz (August 2012 and September 2013) ===<br />
<br />
A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was [http://modmyi.com/forums/cydia-support/810633-new-adware-malware-found-cydia.html reported in August 2012 on the ModMyi forum] and [http://ryanhileman.info/posts/webgl analyzed in September 2013] ([https://www.reddit.com/r/jailbreak/comments/1n5702/anatomy_of_a_jailbreak_trojan/ discussion on Reddit]).<br />
<br />
Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.<br />
<br />
=== AdThief/Spad (March and August 2014) ===<br />
<br />
AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as [https://threatpost.com/adthief-ios-malware-affecting-75k-jailbroken-devices/107907 explained by Kaspersky Threatpost]. Security researchers estimated it had infected 75,000 devices.<br />
<br />
=== Unflod (April 2014) ===<br />
<br />
[[Unflod]] is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".<br />
<br />
=== Hacking Team tools (June 2014 and July 2015) ===<br />
<br />
[[Hacking Team]] is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.<br />
<br />
=== AppBuyer (September 2014) ===<br />
<br />
AppBuyer, as discussed in [http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/ this article by Palo Alto Networks], is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.<br />
<br />
=== WireLurker and Masque Attack (November 2014) ===<br />
<br />
As discussed at [[Misuse of enterprise and developer certificates]]: [http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ according to Palo Alto Networks], WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."<br />
<br />
Masque Attacks are a related technique, also [https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html discussed by Palo Alto Networks]: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."<br />
<br />
=== Xsser mRAT (December 2014) ===<br />
<br />
Xsser mRAT is a piece of malware that targets jailbroken devices. [https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html As described by Akamai]: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."<br />
<br />
=== XAgent (February 2015) ===<br />
<br />
XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in [http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/ this article by Trend Micro]. Also [http://www.pcworld.com/article/2880152/new-spyware-targets-ios-devices-steals-pictures-and-data.html covered by PCWorld].<br />
<br />
=== Lock Saver Free (July 2015) ===<br />
<br />
Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. [https://www.reddit.com/r/jailbreak/comments/3eis8g/news_lock_saver_free_contains_a_trojan_that/ Discussion on Reddit].<br />
<br />
=== KeyRaider (August 2015) ===<br />
<br />
KeyRaider, as discussed in [http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ this article by Palo Alto Networks], is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."<br />
<br />
== Tools developed as part of research ==<br />
<br />
=== iSAM (June 2011) ===<br />
<br />
iSAM is a malware tool [http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 developed by security researchers] as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the [[Star]] exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.<br />
<br />
=== Instastock (November 2011) ===<br />
<br />
Charlie Miller, a security researcher, [http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ submitted an app to the App Store called Instastock] to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.<br />
<br />
=== Mactans (July 2013) ===<br />
<br />
At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but [http://www.zdnet.com/article/researchers-reveal-how-to-hack-an-iphone-in-60-seconds/ can insert malware if you plug an iOS device into it]. The iOS device does not have to be jailbroken.<br />
<br />
== Tools for sale to the public ==<br />
<br />
=== Copy9 ===<br />
<br />
[http://cydia.saurik.com/package/com.goldenspy.copy9/ Copy9] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."<br />
<br />
=== iKeyGuard Key Logger ===<br />
<br />
[http://cydia.saurik.com/package/com.ikeyguard.ikg/ iKeyGuard Key Logger] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."<br />
<br />
=== InnovaSPY ===<br />
<br />
[http://cydia.saurik.com/package/com.innovaspy.innovaspy/ InnovaSPY] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: [http://cydia.saurik.com/package/com.innovaspy.innovamonitor/ InnovaMonitor], a monitoring app for use with the spy tool.<br />
<br />
=== mSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.mtechnology.mspy.trial/ mSpy] is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."<br />
<br />
=== OwnSpy ===<br />
<br />
[http://cydia.saurik.com/package/com.ownspy.daemon/ OwnSpy] is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."<br />
<br />
=== Spy App ===<br />
<br />
[http://cydia.saurik.com/package/com.spyapp.daemon/ Spy App] is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."<br />
<br />
=== SpyKey ===<br />
<br />
[http://cydia.saurik.com/package/com.kobisnir.spykey/ SpyKey] is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."<br />
<br />
=== Trapsms ===<br />
<br />
Trapsms was an early spying tool available to the public, [http://blog.fortinet.com/post/detecting-spyware-for-iphones described in this post by a security researcher in July 2009]. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."<br />
<br />
[[Category:Malware research]]</div>Britta