Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Introducing Joe Sandbox I – Deep iOS Malware Analysis

Published on: 01.11.2016

We are proud to present today Joe Sandbox I – the first automated malware analysis system for iOS that combines dynamic and static analysis for deep malware forensics. Joe Sandbox is now able to analyze malware on all major desktop and mobile platforms, namely Windows, OS X, Android, and now iOS.

The number of malware targeting Mac iOS devices is constantly growing, and their complexity is challenging security experts worldwide. The impact of these attacks is considerably high due to the exfiltration of sensitive information like private contacts and confidential emails. We have seen how XcodeGhost malware managed to sneak malicious code into tens of apps without their developers knowing. For these reasons, we at Joe Security think that it is very important to provide malware analysts with the right solution, capable of analyzing iOS apps deeply and swiftly.

In order to have a clearer vision of the technology and the product, let’s take a deeper dive into Joe Sandbox I capabilities by analyzing a malicious iOS app. It’s worth mentioning that as with all our products, the analyzed application will be executed in a controlled environment.

In Joe Sandbox I, the analyst has the possibility to submit apps either as a file (bundle IPA) or by bundle ID. When submitting a file, the app is directly installed on the bare-metal device, in our case an iPhone. In case of a bundle ID submission, Joe Sandbox I will automatically download the app from the AppStore and install it on the phone by itself. Then, a two steps analysis is initialized, first the apps Mach-O is statically analyzed and secondly it is being executed and dynamically analyzed.

After monitoring its behavior for suspicious activities, the collected information is then compiled into a comprehensive and extensive analysis report. The big advantage of analyzing an app on a bare-metal phone in contrast to emulation or virtualization is avoiding the app to check if it’s being scanned and therefore, applying anti-sandbox tricks.

To give you more insight of the interesting features of Joe Sandbox I, we have analyzed a recent malware sample dubbed as „YiSpecter" (NoIcon IPA, MD5: fbf92317ca8a7d5c243ab62624701050). The sample was executed on an iPhone 4 running iOS 7.1.2:

Dynamic Analysis 

As mentioned before, Joe Sandbox I can install apps directly from the AppStore without any user interaction. Since the YiSpecter sample was submitted by uploading a file, we have recorded a movie from another analysis that shows the way an app from the AppStore is installed and executed:

As can be seen, a daemon will try to click itself in a smart way through the apps buttons and dialogs. By simulating user behavior, the app is exhibiting more behavior, leading to better results of the dynamic analysis than just merely opening and closing the app.

Besides automated clicking, Joe Sandbox I also takes periodically screenshots during the apps analysis. However, since the currently presented sample just shows a black screen, we have added below a screenshot from another sample of the YiSpecter family (AdPage IPA, MD5: 62c6f0e3615b0771c0d189d3a7c50477):

Behavioral artifacts, i.e. interesting function calls of the apps execution are presented within the report as done similarly in the Joe Sandbox Desktop or X reports. In our case, the sample has opened some files, but as well requested sysctls and URLs:

And as for all sandboxing solutions, network capturing is a must have. Here we can see that the IMEI number is being leaked:

Static Analysis

In addition to dynamic analysis, the sample is statically analyzed too. This has the benefit that if the sample may not execute for some reason, certain functionalities can be inferred from the code in order rate them by signatures. Joe Sandbox I extracts all functions of the apps Mach-O and presents the ARM code as well as the meta data (if available) within the report:

This code excerpt for instance shows that the app can query for installed apps:

This functionality is as well rated by a signature:

Or look at this code part:

This code excerpt shows that the app can check if the phone is jailbreaked. 

But not only the ARM code is of interest, also the Mach-O segments and commands, or other files within the bundle IPA file (ZIP) or embedded within the Mach-O itself:

One known embedded file is the entitlements.plist. In this sample it reveals that the app has the permission to install and remove other apps: 

Another embedded file that may exist is the apps enterprise certificate:

This is an indication that the app can install additional apps that were signed with this certificate and were therefore not code reviewed by Apple.

Behavior Signatures

Joe Sandbox I has an increasing set of around 100 behavior signatures which rate and classify the behavior. The signature summary of this sample for instance shows a nice overview of the key behavior and functionalities of YiSpecter:

Behavior signatures gives the malware analyst the possibility to classify behavior into good or bad, and in the end allowing to efficiently get a good overview of the app without deep understanding of the analyzed app itself.

To summarize:

  • Joe Sandbox I is the first publicly presented automated iOS malware analysis system. With this product, malware analysts using Joe Sandbox can now analyze potential malware on all major desktop and mobile operating systems.
  • The dynamic analysis of apps are performed on bare-metal phones. This is in contrast to emulation or virtualization a big advantage, since malicious apps will have a harder time in detecting the presence of a sandbox solution. Furthermore, by simulating user clicks the app under analysis will exhibit more behavior leading to better results of the overall dynamic analysis.
  • In addition to dynamic analysis, static analysis of the app can be used to infer functionalities from the code. This is very beneficial if the sample is not executed, because we can still rate the app by the signatures.
As this blog post has outlined, Joe Sandbox I enables to quickly understand and detect threats which target iOS systems. We continuously work to increase the number of signatures and improve the overall dynamic and static analysis of Joe Sandbox I, now part of Joe Sandbox Cloud. 

For more information about the product or a demo request, feel free to contact us through our website at www.joesecurity.org.

Full analysis report for YiSpecter: