Thursday, April 8, 2021

Joe Sandbox I – Deep Malware Analysis on iOS 13





Today, we have the pleasure to present a major upgrade of Joe Sandbox I product. The first version of our automated malware analysis system for iOS was introduced nearly five years ago. Back then, Joe Sandbox was and still prevails to be, the only commercial malware analysis sandbox solution that can analyze threats on all major desktop and mobile platforms – namely, Windows, macOS, Linux, Android, and iOS.


Recent years have shown that malware is getting more and more sophisticated. The current two market leaders for mobile platforms are Android and iOS. While Android malware does get more attention and is usually studied more often, maliciously acting software found on iOS is much less publicly reported. A potential reason is that analyzing apps on iOS is a difficult and cumbersome task to accomplish due to the heavily locked operating system. Thus, it is generally not trivial for security solutions or analysts to assess if an app behaves how it should. Hence, the actual malware threat landscape on iOS remains diffuse.


Despite Apple’s efforts to strictly code review apps before getting into the App Store, there have been multiple examples in the past where malware or maliciously behaving software was able to sneak into the store. A recent example was published here that affected hundreds of apps that were prone to data leakage and remote code execution.


With Joe Sandbox I, a malware analyst gets a powerful fully automated solution to analyze apps on a bare-metal iPhone without the hassle of setting up such a device and all the quirks that iOS brings. Currently, we support iOS 13 on an iPhone 7.


Joe Sandbox I features at a glance:


  • Analyze apps from the App Store or IPA files
  • Live interaction with the app during execution
  • Automated screenshotting during the analysis
  • Network capturing including HTTPS inspection
  • Selected API hooking for dynamic analysis
  • App archive and file static analysis
  • Deeper static analysis of disassembly code
  • Behavior signatures for rating dynamic and static analysis


App Store Analyzing with Live Interaction


An analyst can directly submit an App Store URL. The app then gets installed onto the iPhone in the background. It is then subsequently started and uninstalled after the analysis time:




The user has the choice to enable Live Interaction (formerly called Remote Assistance) before submission. Interacting with an app generally exhibits more behavior which leads to better dynamic analysis results. This recording demonstrates the Live Interaction feature nicely:



As one can see, the user gets a smooth interface to interact with. So, clicking through permission prompts for example, or entering text provides full interaction. Furthermore, using the keyboard facilitates faster typing.



Analyzing an IPA Archive


An analyst has also the choice to submit IPA archives for analysis. However, only IPAs with decrypted Mach-O files can be executed due to Apple’s FairPlay DRM. Nevertheless, this feature stays interesting for analysts that for example are able to extract a decrypted IPA from a suspicious device.


For the sake of this blog post, we have created a small demonstration app that behaves maliciously. It is called MyContacts and is meant to act as a simple contact viewer and caller.





The IPA file was submitted with Live Interaction enabled.



Screenshot Slideshow



Joe Sandbox I takes screenshots periodically throughout the app execution, saving only the images that changed. The resulting report shows the screenshotting feature prominently. The most interesting screenshot is shown at the beginning:





In the “Screenshots” section, all taken shots can be viewed interactively in a slideshow or as thumbnails. Here we see how that app requested permission to access the contacts database and the microphone, and then tried to call a different number than was selected:





Behavior Signatures and Classification


Joe Sandbox I has an increasing set of roughly 230 behavior signatures which rate and classify the behavior. With the signature overview, a malware analyst gets the possibility to swiftly assess if the app’s behavior is bad or not. Here we see that MyContacts does behave maliciously and has capabilities that are considered to be malintent, for example, its capability to install and launch apps:




This excerpt shows all triggered behavior signatures:




Finally, the classification spider graph consolidates the behavior signature ratings in order to show what type of potential malware we are likely looking at:






Network Capturing and HTTPS inspection


An important feature of app analysis is network analysis. Joe Sandbox I can analyze multiple protocols like HTTP or DNS, but also seldom used ones like FTP, SMTP, etc. Intercepting encrypted traffic is also possible. Here we see how MyContacts leaks email and phone numbers over HTTPS:





This behavior was rated by our signatures as malicious:






Dynamic Analysis


A core part of any malware sandbox is its ability to trace behavior. Joe Sandbox I intercepts interesting APIs, like accessed files or sysctl requests. Here we see how the app opens the previously requested URL:




We also see that email and contact information is being encrypted:






Static Analysis – IPA Archive


In addition to dynamic analysis, the app is also analyzed statically. This is done on two levels: the apps IPA archive as well the apps executable. For App Store apps, the installation directory itself is analyzed.


Here we see the content of the IPA archive:






Certain interesting file types are extracted and further analyzed, like Plist and Mach-O files. This excerpt shows the apps Mach-O:





The extracted property list (Plist) in the "embedded.mobileprovision" file reveals that the app has the capability of being provisioned to any device:




This is an indication that an app could bypass Apple's code review procedure if it attempts to abuse enterprise certificates that are used for in-house app distribution.




Static Analysis – Disassembly


Joe Sandbox I extracts all interesting functions from the apps Mach-O if it is not encrypted. For App Store submissions, the binary is decrypted from the memory and then statically analyzed. The report then presents the ARM disassembly code as well as meta information if available.


Here we see an excerpt of a function that does a jailbreak check:









It is worth mentioning that Joe Sandbox's integrated search functionality gives the analyst the possibility to easily search through the report. Each search hit provides additional information:








Summary


We have demonstrated the power of Joe Sandbox I, which enables an analyst to swiftly understand and detect threats that target iOS systems. We have shown that apps from the App Store as well as IPA files can be analyzed. With the help of the Live Interaction feature, the analyst can seamlessly interact with the app. Standard features like screenshotting and network capturing were illustrated, including interception of encrypted traffic. We then demonstrated the API dynamic analysis capabilities. Finally, static analysis features for Plists and Mach-O as well as for disassembly were showcased.



The full analysis report of MyContacts is available here.


Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!



Remarks


Joe Sandbox I is intended for malware analysis only and does not provide decrypted IPA files from the AppStore. The iPhone analysis device does not have any SIM installed, nor does it provide physical camera or microphone access. With Joe Sandbox I analysts can only analyze apps and do not get any access to iPhone services such as phone calls, SMS, photography, etc.