Blog

iPad Air spyware: help needed from the security community

After the Telefacts show 'Big Brother in your pocket' we got contacted by a company with a strange request.

One of their employees uses an iPad Air for business use, but when the iPad was connected to the home network somebody would take over the screen, open the Dropbox app and start to scroll the contents and read confidential information, right under the nose of the user.

When the PIN code was activated on the Dropbox app, the cyberthief could not access the app so he/she started to play loud music on the iPad.

When we investigated the iPad we didn't find anything malware related on the device: it was one of the latest hardware versions, almost no apps installed, the device was not jailbroken, ... A mystery.

Intercepting network traffic from the device to Internet did show something nasty: strangs DNS requests to strange DNS names!

The list of DNS names, of which only three resolved. The iPad was connected to power, but not in use during these DNS lookups.

13:33:00 gvabmhcreh.www.10000uc.com

13:34:46 tmppjzclrxomrrx.www.douyu.tv

14:10:01 evcdwfefkbqrcbwb.www.0769cg.com

14:17:39 dcfja.a69kf.qsxcmy.com

14:21:41 cxyjsxyfafid.a69kf.qsxcmy.com

14:31:39 yqnscsk.a69kf.qsxcmy.com

14:36:07 mgufrtcmfofefzw.a69kf.qsxcmy.com

14:42:06 azxcynrkx.a69kf.qsxcmy.com

14:54:55 odgzcdgxkbylmx.a69kf.qsxcmy.com

15:06:22 qcvet.a69kf.qsxcmy.com

15:25:24 cir.a69kf.qsxcmy.com

15:31:52 phapbfcfrxngplq.a69kf.qsxcmy.com

15:49:33 cvn.ljfczx.com

15:56:51 cnmtap.czcbl.com

15:59:56 kjgvshmrqlczcxap.ljfczx.com

16:07:41 cvmd.560gg.com

16:19:23 zakarpattya.net.ua

16:21:13 yrqryfcxojmvcxsf.czcbl.com

16:24:41 udhcyizel.hiyuxi.com

16:27:14 ulszcxshqtehsj.ljfczx.com

16:41:26 cbfhdqwxtvd.czcbl.com

17:12:34 cxx.hiyuxi.com

17:16:30 lxxscwx.ljfczx.com

17:24:54 cverqfmnapyt.czcbl.com

17:28:11 zakarpattya.net.ua

17:28:34 zakarpattya.net.ua

17:37:15 zakarpattya.net.ua

18:08:02 iyfcjqxih.ljfczx.com

18:09:27 zjwcwgsgs.ljfczx.com

20:19:31 zakarpattya.net.ua

20:39:39 zakarpattya.net.ua

22:48:01 c.www.0769cg.com

23:35:23 cjp.www.0769cg.com

06:07:29 cl.xin.szlhr.com

08:14:03 dmfxcpq.www.xcs520.com

08:21:46 vtdcsxyrm.www.xcs520.com

08:53:28 ylohchqbahqjov.www.xcs520.com

09:06:56 jocmqecaxnqbrxn.www.klmir2.com

09:14:38 cnqx.www.ltcq185.com

09:34:24 ivkxwpelipqhcncv.www.xcs520.com

09:49:57 wroxmhyhcvoncbsr.www.ltcq185.com

10:32:07 kgljwhcithakcgb.www.0769cg.com

10:48:51 upmjubcdkj.www.ltcq185.com

10:54:09 clixah.www.ltcq185.com

10:58:42 kcwtb.www.klmir2.com

11:18:42 ozajcfcjsz.www.ltcq185.com

11:28:25 tasckzakb.www.klmir2.com

11:50:53 idkpctyjqfivmf.www.0769cg.com

11:53:48 rpxczssao.www.xcs520.com

13:18:43 cbydercpgp.180.86min.com

13:20:51 ctkskwuvrte.180.86min.com

13:23:38 czmjmhehwpgv.180.86min.com

13:37:14 sknckkgok.www.klmir2.com

13:45:28 cajyrqwrrwa.www.xcs520.com

13:53:37 c.www.klmir2.com

14:00:38 cfr.www.klmir2.com

14:28:40 abcbcxetktonev.zhaosf.cz

14:35:24 kctgcez.www.xg6888.com

14:39:59 jceue.www.klmir2.com

15:02:04 cfcr.ww.hiyuxi.com

15:09:17 iafcebtaq.www.klmir2.com

15:25:44 col.www.klmir2.com

15:30:39 cn.www.dzfz.com.cn

15:40:43 crefof.www.80078.com

16:31:39 c.www.5478pk.com

17:10:14 fcszi.www.5478pk.com

17:18:10 rcokr.www.5478pk.com

17:39:41 ocqbv.www.5478pk.com

17:46:07 ynwbcpszorunmb.www.5478pk.com

17:59:37 uvwvcbqbgzujgx.www.5478pk.com

18:20:44 nbcqeftuvjklz.www.5478pk.com

18:28:09 abcqrsthvwxlz.www.5478pk.com

18:42:40 rcaur.www.5478pk.com

18:52:01 crb.www.0769cg.com

19:00:37 qstrcbcqywmnsxm.www.0769cg.com

01:21:34 ianvcja.www.0769cg.com

02:25:24 wxefczepkjefcf.www.0769cg.com

10:25:12 wjiypucdunynnup.gg88.551gg.com

11:03:09 crgfcdibmbqped.gg88.551gg.com

11:03:10 crgfcdibmbqped.gg88.551gg.com

11:23:51 bcjga.gg88.551gg.com

11:24:19 wqppcdx.gg88.551gg.com

12:04:35 koqcvfptk.gg88.551gg.com

12:11:51 erglcvqtsxgnoh.gg88.551gg.com

12:13:31 docicku.gg88.551gg.com

So is this spyware embedded in iOS, in an malicious app from the AppStore or firmware on the iPad app?

There are 3 Comments

user picture

There was no passcode in place. And we were unable to verify Jailbreak status.

There were some typical third-party apps installed like Dropbox.

We think that the malware was installed from an infected iTunes PC using one of the lately discovered Apple backdoors, see http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

user picture

Any updates on this?

Was a passcode in place?
How was the Jailbreak status verified?
Where there any third-party apps installed (enterprise or app store)?

user picture

Symptoms appear at home but not at work? I would say he has some kind of persistent malware on his home network which becomes active when the IOS device is connected.

Add comment