Sep 12 - When we were tracking down a bug, we discovered that there was suspicious encrypted traffic sent from one/some app(s) to one/some particular domain(s) when the app(s) was/were launched or closed. Front-end security team immediately followed the issue.
Sep 13 - Tencent product team released an updated version of the app(s). We notified CNCERT of the issue.
Sep 14 - CNCERT issued a pre-warning on its website. [1]
Sep 16 - We discovered that 76 of the top 5000 apps on App Store were infected. We notified Apple and most of the app vendors of the infected apps of the issue.
Sep 17 - Palo Alto Networks also discovered the issue and published a report of their preliminary findings[2], and so did Ali mobile security team[3].
Analysis
1. Infected apps send the following information to attackers' servers: app name, app version, iOS version, locale, device type, country code, IDFV. The domain used is icloud-analysis.com. We also discovered three other domains that are not used.
2. Attackers can identify every infected iOS device and issue commands to be executed via the openURL API.
3. Attackers can invoke a customized alert box on infected iOS devices, showing whatever they want.
4. The malicious remote control module itself is vulnerable to MiTM attack.
It should be noted that multiple versions of the remote control module are discovered, some of which do not have the capability described in (2) and (3).
Here's the English translation:
---
Sep 12 - When we were tracking down a bug, we discovered that there was suspicious encrypted traffic sent from one/some app(s) to one/some particular domain(s) when the app(s) was/were launched or closed. Front-end security team immediately followed the issue.
Sep 13 - Tencent product team released an updated version of the app(s). We notified CNCERT of the issue.
Sep 14 - CNCERT issued a pre-warning on its website. [1]
Sep 16 - We discovered that 76 of the top 5000 apps on App Store were infected. We notified Apple and most of the app vendors of the infected apps of the issue.
Sep 17 - Palo Alto Networks also discovered the issue and published a report of their preliminary findings[2], and so did Ali mobile security team[3].
Analysis
1. Infected apps send the following information to attackers' servers: app name, app version, iOS version, locale, device type, country code, IDFV. The domain used is icloud-analysis.com. We also discovered three other domains that are not used.
2. Attackers can identify every infected iOS device and issue commands to be executed via the openURL API.
3. Attackers can invoke a customized alert box on infected iOS devices, showing whatever they want.
4. The malicious remote control module itself is vulnerable to MiTM attack.
It should be noted that multiple versions of the remote control module are discovered, some of which do not have the capability described in (2) and (3).
[1] http://www.cert.org.cn/publish/main/12/2015/2015091415282115...
[2] http://researchcenter.paloaltonetworks.com/2015/09/novel-mal...
[3] http://drops.wooyun.org/news/8864 (Chinese)