Mi3 Security’s cloud-based service is built on three forms of globally sourced, multi-variant, app intelligence: Machine, Meta, and Mobile. By applying a powerful, parallel analysis engine to this vast pool of app data, Mi3 can deliver deep, predictive analyses of Android and iOS apps in just minutes. Below are two MAJOR vulnerabilities Mi3 Security revealed to the world recently…
Su-A-Cyder (revealed at BlackHat Asia 2016)
Su-A-Cyder is not malware and it is not a vulnerability; it’s a threat vector! It is a compilation of open source technologies (e.g. Theos and Fastlane) scripted together to take advantage of Apple’s home brewed certification application program to demonstrate that anonymous evil app creation is not a myth anymore. And any legitimate application can be resigned with an anonymous Apple ID account and side loaded to a device.
This means any app on the device can be replaced with a modified version that appears to be the original app to the user and security controls in place such as EMM, Firewall, etc. As demonstrated by Mi3 Security Chief Scientist Chilik Tamir at Black Hat Asia, 2016, Su-A-Cyder examples include taking control of a Good MDM agent, injecting a evil Skype app, and gaining full control of a corporate video chat Jabber app. In each of these examples a backdoor was installed for the POC. This threat vector allowed for complete access to all the data within the app including PII. If the app had access to healthcare records, corporate credentials, CC or other PII data, then the backdoor would have the same access. Moreover, if the app was granted with LAN, DMZ, VPN access then the evil app could exploit and abuse these credentials.
SandJacking (revealed at Hack in the Box 2016)
Mi3 Security Chief Scientist Chilik Tamir discovered a new method, which he dubbed “SandJacking,” that still allows attackers to use the Su-A-Cyder technique even against the latest iOS version.
The problem, according to the expert, is that while Apple patched the installation process to ensure that legitimate apps cannot be replaced, it neglected the restore process. This allows an attacker with access to the device to create a backup, remove the legitimate app, install the malicious version, and then restore the device from the backup. The restoration process does not remove the malicious app, giving the attacker access to user data associated with that application.
It’s worth noting that the malicious application only gives access to the sandbox of the app it replaces. This means that an attacker needs to create malicious versions for each of the targeted applications. However, Tamir believes this is not an issue considering that the entire process can be automated.