3. intro | immediate reaction
“Maybe it’s more interesting to analyse than Unflod.dylib!”
But: original download link for the IPA was not working anymore :(
Solution: start from the beginning, aka find original blog post linked with the
case
5. osx | initial infection
start.sh
unzip FontMap1.cfg
deploy machook in /usr/local/machook
create LaunchDaemon to persist
6. osx | machook
64 bits binary only
use libimobiledevice to detect when an iOS device is plugged-in
com.apple.afc
ProductVersion
SerialNumber
list of installed Apps
8. osx | machook
starts com.apple.afc2
if worked (jailbroken device ) copy
[OSX]/usr/local/machook/sfbase.dylib
[iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib
download signed IPA and push it as well using com.apple.mobile.installation_proxy
URL stored in SQLite DB: foundation
Enterprise cert means that first execution will bring validation pop-up
code not encrypted as not from AppStore
globalupdate : loop to check for updates
12. iOS | sfbase.dylib
not signed
MobileSubstrate to hook [UIWindow sendEvent] in
MobileStorageMounter
MobileSafari
MobilePhone
MobileSMS
Preferences
also checks for updates
13. iOS | sfbase.dylib
if event is applicationWillResignActive, kill applications
What??? Maybe I don’t have the latest version
also, dead code to query URL and hide it
retrieve some files
SMS.db
AddressBook.sqlitedb
UDID
post to saveinfo.php
16. conclusion | maybe not that “new era”
did not look at the signed binary for the moment
possibilities too limited
except if privileges escalation is possible…
hooking methods but does not use it
targeted at Chinese market but logs in english
still some nice functionalities
update functionality
OSX —> iOS, but already seen in the wild