by Lilang Wu, Ju Zhu, and Moony Li
We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.
We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores—hxxp://m[.]3454[.]com and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.
Figure 1. Screenshot of an unsigned profile (left) and a signed profile (right). In English translation, the right photo describes 51 Apple Helper, an iOS app store that provides games, software, and wallpaper.
If users access the app stores, the signed .mobileconfig file, which is an iOS configuration profile, will be downloaded to the device. An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates. The .mobileconfig file contains four irremovable icons that will appear on the home screen, which is about the only other similarity this threat has with iXintpwn/YJSNPI aside from the usage of a configuration profile. The four icons are Web Clips that appear as app icons on the home screen. The difference is that instead of launching the app when clicked, it will take the user directly to a website.
Figure 2. The four icons contained in a .mobileconfig file.
One of the Web Clips seen in the picture above redirects users to 51 Apple Helper, a third-party app store where repackaged apps can be downloaded.
A Closer Look at the App Stores
Further analysis reveals that the two app stores can also be accessed from a PC and an Android device. When users download apps from either of the two, it will evoke a response that could be different based on the user agent.
Figure 3. Code snippet of the signed profile being downloaded from the malicious website.
For Android users, another third-party app store will be installed on their devices when downloading apps from either of the two app stores. Unlike 51 Apple Helper, this app is a legitimate and popular distribution platform in China. Meanwhile, Mac and Windows users will be safe since all downloaded apps from the two app store will fail to install on the computer.
Interestingly, we also discovered that the two third-party app stores were distributors of the rootkit malware used by ZNIU.
Figure 4. Code snippet of Android users downloading the app from the third-party app store.
Based on its JavaScript code, hxxps://ap[.]405153[.]com/w/9048409[.]apk is not working anymore and was replaced by the link to a third-party app store. Nevertheless, our researchers were still able to identify it as one that the ZNIU malware used before. It is speculated that the authors revised the code when the discovery of ZNIU was made public. Upon further investigation, we discovered that this apk file is still being hosted by a popular cloud server censored in the image below.
Figure 5. The response we get when requesting for the apk file.
Mitigations and Solutions
Users should only install apps from official and trusted app stores. They should also be wary of the potential risks of downloading repackaged apps:
- Users’ sensitive information may be leaked when the app updates to a later version.
- Repackaged apps installed on the newest iOS version prevent the installation of the legitimate apps—and their official updates—from which they were based.
- Installing repackaged apps to older iOS versions (10.1 and below) may expose devices to vulnerabilities.
Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security for iOS and Trend Micro™ Mobile Security for Android devices to block threats from app stores before they can be installed.
Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
In addition, enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.
Indicators of Compromise (IOCS)
iOS:
| SHA256: 4a2b4f0b2c5980a2bba4213d931da5ad2768309032a7cd697000e054225f62eb |
Android:
| SHA256 | Package Name | App Label |
| 7c840433020c33e16e942a39d53c593ce58db680a41955a8a29139cf022be8dd | com[.]okosdfsdfhsh[.]www | 触摸女神 (Touch the goddess) |
