Blog

iPad Air spyware: help needed from the security community

After the Telefacts show 'Big Brother in your pocket' we got contacted by a company with a strange request.
One of their employees uses an iPad Air for business use, but when the iPad was connected to the home network somebody would take over the screen, open the Dropbox app and start to scroll the contents and read confidential information, right under the nose of the user.
When the PIN code was activated on the Dropbox app, the cyberthief could not access the app so he/she started to play loud music on the iPad.

When we investigated the iPad we didn't find anything malware related on the device: it was one of the latest hardware versions, almost no apps installed, the device was not jailbroken, ... A mystery.

Intercepting network traffic from the device to Internet did show something nasty: strangs DNS requests to strange DNS names!
The list of DNS names, of which only three resolved. The iPad was connected to power, but not in use during these DNS lookups.

13:33:00 gvabmhcreh.www.10000uc.com
13:34:46 tmppjzclrxomrrx.www.douyu.tv
14:10:01 evcdwfefkbqrcbwb.www.0769cg.com
14:17:39 dcfja.a69kf.qsxcmy.com
14:21:41 cxyjsxyfafid.a69kf.qsxcmy.com
14:31:39 yqnscsk.a69kf.qsxcmy.com
14:36:07 mgufrtcmfofefzw.a69kf.qsxcmy.com
14:42:06 azxcynrkx.a69kf.qsxcmy.com
14:54:55 odgzcdgxkbylmx.a69kf.qsxcmy.com
15:06:22 qcvet.a69kf.qsxcmy.com
15:25:24 cir.a69kf.qsxcmy.com
15:31:52 phapbfcfrxngplq.a69kf.qsxcmy.com
15:49:33 cvn.ljfczx.com
15:56:51 cnmtap.czcbl.com
15:59:56 kjgvshmrqlczcxap.ljfczx.com
16:07:41 cvmd.560gg.com
16:19:23 zakarpattya.net.ua
16:21:13 yrqryfcxojmvcxsf.czcbl.com
16:24:41 udhcyizel.hiyuxi.com
16:27:14 ulszcxshqtehsj.ljfczx.com
16:41:26 cbfhdqwxtvd.czcbl.com
17:12:34 cxx.hiyuxi.com
17:16:30 lxxscwx.ljfczx.com
17:24:54 cverqfmnapyt.czcbl.com
17:28:11 zakarpattya.net.ua
17:28:34 zakarpattya.net.ua
17:37:15 zakarpattya.net.ua
18:08:02 iyfcjqxih.ljfczx.com
18:09:27 zjwcwgsgs.ljfczx.com
20:19:31 zakarpattya.net.ua
20:39:39 zakarpattya.net.ua
22:48:01 c.www.0769cg.com
23:35:23 cjp.www.0769cg.com
06:07:29 cl.xin.szlhr.com
08:14:03 dmfxcpq.www.xcs520.com
08:21:46 vtdcsxyrm.www.xcs520.com
08:53:28 ylohchqbahqjov.www.xcs520.com
09:06:56 jocmqecaxnqbrxn.www.klmir2.com
09:14:38 cnqx.www.ltcq185.com
09:34:24 ivkxwpelipqhcncv.www.xcs520.com
09:49:57 wroxmhyhcvoncbsr.www.ltcq185.com
10:32:07 kgljwhcithakcgb.www.0769cg.com
10:48:51 upmjubcdkj.www.ltcq185.com
10:54:09 clixah.www.ltcq185.com
10:58:42 kcwtb.www.klmir2.com
11:18:42 ozajcfcjsz.www.ltcq185.com
11:28:25 tasckzakb.www.klmir2.com
11:50:53 idkpctyjqfivmf.www.0769cg.com
11:53:48 rpxczssao.www.xcs520.com
13:18:43 cbydercpgp.180.86min.com
13:20:51 ctkskwuvrte.180.86min.com
13:23:38 czmjmhehwpgv.180.86min.com
13:37:14 sknckkgok.www.klmir2.com
13:45:28 cajyrqwrrwa.www.xcs520.com
13:53:37 c.www.klmir2.com
14:00:38 cfr.www.klmir2.com
14:28:40 abcbcxetktonev.zhaosf.cz
14:35:24 kctgcez.www.xg6888.com
14:39:59 jceue.www.klmir2.com
15:02:04 cfcr.ww.hiyuxi.com
15:09:17 iafcebtaq.www.klmir2.com
15:25:44 col.www.klmir2.com
15:30:39 cn.www.dzfz.com.cn
15:40:43 crefof.www.80078.com
16:31:39 c.www.5478pk.com
17:10:14 fcszi.www.5478pk.com
17:18:10 rcokr.www.5478pk.com
17:39:41 ocqbv.www.5478pk.com
17:46:07 ynwbcpszorunmb.www.5478pk.com
17:59:37 uvwvcbqbgzujgx.www.5478pk.com
18:20:44 nbcqeftuvjklz.www.5478pk.com
18:28:09 abcqrsthvwxlz.www.5478pk.com
18:42:40 rcaur.www.5478pk.com
18:52:01 crb.www.0769cg.com
19:00:37 qstrcbcqywmnsxm.www.0769cg.com
01:21:34 ianvcja.www.0769cg.com
02:25:24 wxefczepkjefcf.www.0769cg.com
10:25:12 wjiypucdunynnup.gg88.551gg.com
11:03:09 crgfcdibmbqped.gg88.551gg.com
11:03:10 crgfcdibmbqped.gg88.551gg.com
11:23:51 bcjga.gg88.551gg.com
11:24:19 wqppcdx.gg88.551gg.com
12:04:35 koqcvfptk.gg88.551gg.com
12:11:51 erglcvqtsxgnoh.gg88.551gg.com
12:13:31 docicku.gg88.551gg.com

So is this spyware embedded in iOS, in an malicious app from the AppStore or firmware on the iPad app?

There are 3 Comments

user picture

There was no passcode in place. And we were unable to verify Jailbreak status.

There were some typical third-party apps installed like Dropbox.

We think that the malware was installed from an infected iTunes PC using one of the lately discovered Apple backdoors, see http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

user picture

Any updates on this?

Was a passcode in place?
How was the Jailbreak status verified?
Where there any third-party apps installed (enterprise or app store)?

user picture

Symptoms appear at home but not at work? I would say he has some kind of persistent malware on his home network which becomes active when the IOS device is connected.

Add comment