Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Installing rogue apps on iOS devices via SandJacking Attack

The security expert Chilik Tamir from Mi3 Security has devised a new attack dubbed SandJacking to install rogue apps on iOS devices. The security expert Chilik Tamir from Mi3 Security has devised some new attack methods that can be exploited by threat actors to install malicious apps on non-jailbroken iOS devices. Tamir presented his attack methods at […]

Installing rogue apps on iOS devices via SandJacking Attack

The security expert Chilik Tamir from Mi3 Security has devised a new attack dubbed SandJacking to install rogue apps on iOS devices.

The security expert Chilik Tamir from Mi3 Security has devised some new attack methods that can be exploited by threat actors to install malicious apps on non-jailbroken iOS devices.

Tamir presented his attack methods at the recent Black Hat Asia conference, he explained how to exploit a developer feature, the Xcode 7, recently introduced by Apple to install malware on devices.

Among the novelties introduced with the Xcode 7, there is the possibility for developers to create iOS apps using certificates that can be issued by providing an Apple ID, this means that coders just need to provide their name and an email address.

This process allows developers to create applications that do not need to be uploaded to the App Store and don’t need to pass the Apple’s application review. This kind of apps has limited abilities compared to apps that pass the Apple’s application review, for example they are not allowed to access Apple Pay, application domains, iCloud, in-app purchase features, the passbook/wallet, and they cannot use push notifications.

Unfortunately, it is important to highlight that the operations allowed to mobile apps developed with the above process are the same conducted by mobile malware. For example, these apps can access users’ data, access the address book, access the calendar and track users through their GPS positions.

The researcher Tamir released a proof-of-concept (PoC) tool called “Su-A-Cyder” that can be exploited by attackers to replace a legitimate app installed on an iOS device with a malicious version that the tool creates.

Tamir described the Su-A-Cyder as a new threat vector that can create a malicious version of legitimate apps just by connecting the victim’s device to a computer.

“Su-A-Cyder can be described as a recipe that takes one part malicious code (choose your flavor), one part legitimate app (choose your victim), one part Apple ID (anonymous), and mix together to create a new evil client app that easily installs on a non-jailbroken device.” explained Tamir. “Su-A-Cyder is not malware and it is not a vulnerability; it’s a threat vector! It is a compilation of open source technologies (e.g. Theos and Fastlane) scripted together to take advantage of Apple’s home brewed certification application program to demonstrate that anonymous evil app creation is not a myth anymore. And any legitimate application can be resigned with an anonymous Apple ID account and side loaded to a device.”

Before the release of iOS 8.3, it was easy for attackers to replace a legitimate application with a malicious version by simply assigning the malicious app a similar bundle ID and overwriting the original application.

Things changed with security measures implemented with iOS 8.3.

Tamir devised the SandJacking attack method that allowed it to bypass security countermeasures implemented starting with the iOS 8.3 and allowed him to rely on the Su-A-Cyder threat vector.

Sandjacking attack

Tamir explained that the effectiveness of the SandJacking methods relies on the lack of control on the restore process. An attacker creates a backup, remove the legitimate app, install the rogue version, and then restore the backup, in this scenario the malicious app will not be removed and attacker can obtain the access only to the sandbox of the app it replaces.

Tamir presented the SandJacking attack at the Hack In The Box (HITB), during his presentation he targeted the Skype app.  Tamir announced that will release a SandJacker tool that automates the SandJacking attack after Apple will fix the issue.

The only way to spot the attack is to check the app’s certificate and the device’s provisioning settings to verify the developer’s identity.

Despite the flaw was reported to Apple in January, the company still hasn’t issued a patch.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SandJacking , hacking)