[Malware Studies] Phenakite
Since my last malware analysis post was about an Android malware, I’ve decided to start to analyze malwares that target iOS devices. This time, I’ll not analyze a malware available in theZoo, like the previous ones.
SHA1 sample: 05527dddb79329d844f1954e3d36601926410bca
The malware is a trojanized chat application called Magic Chat and was spread using the URL hxxps://www.magic4smile[.]com, which is now down. This URL had a download button, which checks if a token generated on the access is on the database. If not, it downloads the file udid.mobileconfig, but it positive, downloads the file app.plist.
The file udid.mobileconfig is a XML certificate to be used to install the application
For MacOS and iOS, a plist file is filetype with the app’s default settings. The file app.plist contains the URL that contains the ipa file, which is the path /app.ipa
An IPA file is the file extension for an iOS application meant to be installed on an Apple iOS device, similar to the APK for Android. Like the APK, an IPA file can be opened like a ZIP file.
Analyzing the application, it has the following permissions:
- NSCameraUsageDescription
- NSContactsUsageDescription
- NSLocationWhenInUseUsageDescription
- NSMicrophoneUsageDescription
- NSPhotoLibraryUsageDescription
Inside the file there’s an embedded URL of a exposed Firebase database, which has logs of chat conversations.
Looking at the Info.plist file, we can find the information that the Application entrypoint is a file named app, which we can check that it’s a Mach-O 64-bit arm64 executable.
The file is recoginized as malicious by some vendors, with just Kaspersky naming it ‘Phenakite’.
I’m still starting the studying about reversing iOS applications codes, so I’ll update this post later with the code analysis.
