iBackDoor: the suspected back door, the impact of the iOS app a high risk of code-bug warning-the black bar safety net

ID MYHACK58:62201568936
Type myhack58
Reporter 佚名
Modified 2015-11-13T00:00:00


! Recently, FireEye Mobile Security researchers discovered embedded into the iOS app in the suspected“back door”behavior mobiSage advertising in the library, and these applications are from the App Store. The researchers will be the potential of the back door called iBackDoor, allowing hackers access to sensitive user data and device functionality. iBackDoor can be a remote server the JavaScript code to control, on an iOS device, perform the following operations: 1, recordings, and screenshots 2, The monitoring and upload location information 3, Read/delete/create/modify the app data file 4, the Read/reset app key chain 5, and transmits the encrypted data to the server 6, The use of URL schemes to open another app or web page 7, install enterprise application The study found that 1 in 7 mobiSage SDK Version 5.3. 3 version to 6. 4. 4 versions of the existence of the back door, and the latest release of the mobiSage SDK 7.0.5 version is not affected by the back-door influence. It is unclear iBackDoor is present in the mobiSage SDK itself, or by a third party created. Up to now, it has been found that 2,8 4 6, the iOS app is affected, detected 9 0 0 using JavaScript code to control the back door to try. Fortunately, the current also did not find the ad server to send any malicious command, such as recording or stealing sensitive data. Technical details mobiSage library contains two key components msageCore and msageJS, respectively, in the Objective-C and JavaScript implementation. msageCore used to implement the back door of the basic functions and pass the WebView to the malicious JavaScript exposed interface; msageJS used to provide advanced execution logic, and by calling msageCore exposure of the interface to trigger the potential of the back door. ! Figure a mobiSage Library of the key components msageCore and msageJS msageCore msageCore through the commands and parameters are sent to the Objective-C class to perform these commands. In which the MSageCoreUIManagerPlugin class, indeed the existence of various control functions. Including the very high risk of acquiring the recording, a screenshot function as well as the Read-modify string of the function. ! Figure II msageCore use of classes and interfaces iBackDoor the back door through the above interface exposes a plurality of key functions, including recording and screen capture, identify, and launch other apps on your device, obtain location information and read and write files, etc. In addition, these interfaces collect the data will be encrypted and uploaded to a remote server. The AD library potential back door can also be the target device to install the enpublic application, it by using private API to increase the iOS device to the security risk of malicious operations there background monitoring text messages and calls, destruction sandbox protection mechanism, steal e-mail and destroy any applications installed. msageJS msageJS contains communicate with a remote server of the JavaScript code and to msageCore submit command. sdkjs. the js file contained in the package class adsage, and is responsible for storing a command for execution of the JavaScript interface. ! Figure III msageJS in the file structure Under normal circumstances, a simple list of the affected applications of the IPA is not found to contain msageJS file. Such files are compressed and encoded, when the affected application is launched, msageCore will first decode and extract msageJS, and then perform a series of malicious actions. And msageJS will continue to hxxp://entry. adsage. com/d/sends a POST request to check for updates to keep the latest version. Summary Although iBackDoor also not caused by bad influence, but still it should be caused by Apple iOS users note that the user can use security software to detect your own device is installed on the affected application, try not to jailbreak or from third party sources to download the application from the official website of the Apple Store to download the app, and timely according to the prompt for device application updates. Reference https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html