Malware for iOS

From The iPhone Wiki
Revision as of 12:48, 1 September 2015 by Britta (talk | contribs) (more context)
Jump to: navigation, search

This is an incomplete draft list of known malware (including spyware, adware, trojans, viruses, worms, and similar tools) that have targeted iOS, including jailbroken iOS. The dates are approximate dates when people discovered, publicized, or started discussing the tool. Please help expand this article with more examples and details! To edit it, you can request an account on TheiPhoneWiki if you don't have one.

The goal of this list is to aid better understanding of the risks of using iOS and jailbroken iOS - it's helpful to have as much accurate information as you can. If you're concerned about avoiding malware on your jailbroken device, check out this guide to making informed guesses about whether packages are reasonable to install.

Some context:

  • Some of these tools targeted old iOS versions and do not work on current iOS versions.
  • Some of these are harmful and some are merely annoying.
  • Many of these require the device to be jailbroken, and some work on non-jailbroken devices.
  • Cydia is an open platform - it includes a specific set of default repositories, and it also allows users to type in any third-party repository that they want to use (much like a web browser that allows you to visit any website). Anyone can run a third-party repository and distribute any software they choose to distribute.
  • Some of these are built to target specific people instead of the general public.
  • Especially for malware that targets a specific person and requires the device to be jailbroken (such as commercial spyware tools used by governments and suspicious spouses), it's important to consider that the vulnerabilities in iOS that allow it be exploited with a jailbreak are part of what allows that malware to exist - the process may include finding a way to secretly jailbreak the target's device if it's not jailbroken already.

For an earlier list of known malware, see "iOS Malware Does Exist" (June 2014).

Tools found in the wild

iKee and Duh (November 2009)

The Ikee-virus (also called Eeki) is a worm transmitted between jailbroken devices that have OpenSSH installed and haven't changed the default root password. It changes the lockscreen background to a photo of Rick Astley.

Two weeks later, the similar Duh worm spread, which was "much more serious than the original Ikee worm because it is not limited to infecting iPhone users in Australia, and communicates with an internet Control & Command centre, downloading new instructions - effectively turning your iPhone into part of a botnet."

"Find and Call" (July 2012)

Find and Call was an app on the App Store that automatically uploaded users' contact lists to the company's server, then spammed those contacts with a link to the app ("from" that user). This undisclosed, unwanted behavior makes the software fit the definition of a trojan. Articles: Kaspersky SecureList, Ars Technica, Sophos NakedSecurity. It is also called FindCall.

FinSpy Mobile (August 2012)

FinFisher is a suite of commercial surveillance tools sold to governments, which have been used to target activists and other people. The suite includes spyware tools for many mobile operating systems, including iOS.

Packages by Nobitazzz (August 2012 and September 2013)

A tweak developer who went by various names (Felix, FelixCat, Martin Pham, Nitram88, Nobitazzz, Nobita.ZZZ, Sara_Nobita, isoftjsc, sara_nobita_zzz, tuyentq2009, vietSARA) included adware in his tweaks. These were many free packages along with some paid packages sold via the Cydia Store, mostly distributed by default repositories (until the problem was discovered). The adware ran ads in the background of iOS, displaying off-screen so that the user wouldn't notice them, with the revenue from those ads going to this tweak developer. This was reported in August 2012 on the ModMyi forum and analyzed in September 2013 (discussion on Reddit).

Packages by this developer included: Animated ICS LockScreen & HomeScreen, BetterChrome, Chrome Download Enabler, ChromeMe, Enable Copy text in Facebook app, Enable WebGL, Facebook Photo Library integration, FacebookThis, Handwriting recognition, Insta9gag, InstaFacebook for NotificationCenter, Instagram Image saver, InstaSocial for Notification Center, InstaTwitter for NotificationCenter, iOS 6 Photos Menu, Make Gmail as default, Notification Lunar Calendar, Olympic 2012 Medal for Notification Center, PhotoFilters, Sara, Sara Dictation Keyboard, VoiceTweet.

AdThief/Spad (March and August 2014)

AdThief (also called Spad) is malware targeting jailbroken iOS devices, which "tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker", as explained by Kaspersky Threatpost. Security researchers estimated it had infected 75,000 devices.

Unflod (April 2014)

Unflod is a malicious piece of software targeting jailbroken iOS devices, which attempts to capture the user's Apple ID and password by using MobileSubstrate to hook into the SSLWrite function of Security.framework and then listening to data passed to it. Once the Apple ID and password are captured, it is sent to a Chinese IP address. It was inadvertently discovered by a Reddit user on April 17th, 2014. Also called "Unflod Baby Panda" and "SSLCreds".

Hacking Team tools (June 2014 and July 2015)

Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public. Their main tool (Remote Control System) requires a jailbroken device, and they were researching options for non-jailbroken devices.

AppBuyer (September 2014)

AppBuyer, as discussed in this article by Palo Alto Networks, is "malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity." It targets jailbroken devices.

WireLurker and Masque Attack (November 2014)

As discussed at Misuse of enterprise and developer certificates: according to Palo Alto Networks, WireLurker is "a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."

Masque Attacks are a related technique, also discussed by Palo Alto Networks: "an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier."

Xsser mRAT (December 2014)

Xsser mRAT is a piece of malware that targets jailbroken devices. As described by Akamai: "The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server."

XAgent (February 2015)

XAgent is a surveillance tool targeting specific people (such as people in governments, the military, and journalists) that can affect both non-jailbroken and jailbroken devices, as described in this article by Trend Micro. Also covered by PCWorld.

Lock Saver Free (July 2015)

Lock Saver Free is a free tweak, originally distributed on a default repository (removed from the repository after discovery of the problem), that installs an extra tweak that hooks into ad banners to insert its own ad identifier, presumably in order to give ad revenue to the author of the tweak instead of to the author of the website/app where the ad was found. Discussion on Reddit.

KeyRaider (August 2015)

KeyRaider, as discussed in this article by Palo Alto Networks, is a piece of malware for jailbroken devices that "steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device."

Tools developed as part of research

iSAM (June 2011)

iSAM is a malware tool developed by security researchers as a proof of concept. It affects both jailbroken and not-yet-jailbroken devices: it scans for jailbroken devices that have SSH running and the default root password, and it also includes a malicious version of the Star exploit (JailbreakMe 2.0) so it can jailbreak a device that isn't jailbroken yet.

Instastock (November 2011)

Charlie Miller, a security researcher, submitted an app to the App Store called Instastock to demonstrate "a flaw in Apple’s restrictions on code signing on iOS devices". The app was initially accepted and then pulled from the store.

Mactans (July 2013)

At the Black Hat 2013 conference, security researchers presented a tool called Mactans, a small device that looks like a charger but can insert malware if you plug an iOS device into it. The iOS device does not have to be jailbroken.

Tools for sale to the public

Copy9

Copy9 is a spying tool available to the public via the ModMyi repository (a default repository), authored by Copy9. It describes itself as "will be installed on target iDevice to find out a thief, cheating spouses, monitor chidren/employees or simply backup data from your devices to our cloud server. This is the best spyware on the world in spying field."

iKeyGuard Key Logger

iKeyGuard Key Logger is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by iKeyGuard. Its description includes "Warning: Logging other people without their permission might be illegal in your country! Make sure you abide by your local law."

InnovaSPY

InnovaSPY is a spying tool available to the public via the ModMyi repository (a default repository), authored by Innovaspy. Its description says "Perfect iPhone spy app" and lists reasons to use it as "Protect your child from cyber predators" and "Find out THE TRUE from cheating spouse?" Related package: InnovaMonitor, a monitoring app for use with the spy tool.

mSpy

mSpy is a spying tool available to the public via the BigBoss repository (a default repository), authored by Mtechnology. Its description of itself: "mSpy is the best tracking and spy application that allows users to keep a check on the cell phone activities of their kids other family members or employees in order to avoid any unwanted behavior or for safety purposes."

OwnSpy

OwnSpy is a spying tool available to the public via the ModMyi repository (a default repository), authored by Antonio Calatrava. It describes itself as "Spy your own iPhone or iPad", with call recording, location tracking, and other features. It has a warning that says "Installing OwnSpy on a device that does not belong to you is a criminal offense and may be prosecuted. Mobile Innovations will help authorities if required."

Spy App

Spy App is a spying tool available to the public via the ModMyi repository (a default repository), authored by dmarinov. Its description includes "Remotely spy SMS, Emails, Call Logs, GPS Location, Key presses (Keylogger)" and other features. It says it is "absolutely invisible and undetectable."

SpyKey

SpyKey is a keylogging tool available to the public via the BigBoss repository (a default repository), authored by Kobi Snir. Its description includes "a simple app that let you monitor your PC Keyboard activity in real time, Simply connect your iphone to your compute using your Wifi or 3G connection and start monitoring."

Trapsms

Trapsms was an early spying tool available to the public, described in this post by a security researcher in July 2009. She says: "The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware's repository and then install the two spyware packages."