App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

by Lilang Wu, Ju Zhu, and Moony Li

We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.

We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores—hxxp://m[.]3454[.]com and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.

Figure 1 config profiles

Figure 1. Screenshot of an unsigned profile (left) and a signed profile (right). In English translation, the right photo describes 51 Apple Helper, an iOS app store that provides games, software, and wallpaper.

If users access the app stores, the signed .mobileconfig file, which is an iOS configuration profile, will be downloaded to the device. An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates. The .mobileconfig file contains four irremovable icons that will appear on the home screen, which is about the only other similarity this threat has with iXintpwn/YJSNPI aside from the usage of a configuration profile. The four icons are Web Clips that appear as app icons on the home screen. The difference is that instead of launching the app when clicked, it will take the user directly to a website.

Figure 2 mobileconfig

Figure 2. The four icons contained in a .mobileconfig file.

One of the Web Clips seen in the picture above redirects users to 51 Apple Helper, a third-party app store where repackaged apps can be downloaded.

A Closer Look at the App Stores

Further analysis reveals that the two app stores can also be accessed from a PC and an Android device. When users download apps from either of the two, it will evoke a response that could be different based on the user agent.

Figure 3 signed config

Figure 3. Code snippet of the signed profile being downloaded from the malicious website.

For Android users, another third-party app store will be installed on their devices when downloading apps from either of the two app stores. Unlike 51 Apple Helper, this app is a legitimate and popular distribution platform in China. Meanwhile, Mac and Windows users will be safe since all downloaded apps from the two app store will fail to install on the computer.

Interestingly, we also discovered that the two third-party app stores were distributors of the rootkit malware used by ZNIU.

Figure 4 ZNIU link

Figure 4. Code snippet of Android users downloading the app from the third-party app store.

Based on its JavaScript code, https://ap[.]405153[.]com/w/9048409[.]apk is not working anymore and was replaced by the link to a third-party app store. Nevertheless, our researchers were still able to identify it as one that the ZNIU malware used before. It is speculated that the authors revised the code when the discovery of ZNIU was made public. Upon further investigation, we discovered that this apk file is still being hosted by a popular cloud server censored in the image below.

Figure 5 apk file request

Figure 5. The response we get when requesting for the apk file.

Mitigations and Solutions

Users should only install apps from official and trusted app stores. They should also be wary of the potential risks of downloading repackaged apps:

  • Users’ sensitive information may be leaked when the app updates to a later version.
  • Repackaged apps installed on the newest iOS version prevent the installation of the legitimate apps—and their official updates—from which they were based.
  • Installing repackaged apps to older iOS versions (10.1 and below) may expose devices to vulnerabilities.

Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security for iOS and  Trend Micro™ Mobile Security for Android devices to block threats from app stores before they can be installed.

Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

In addition, enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Indicators of Compromise (IOCS)

iOS:

SHA256:  4a2b4f0b2c5980a2bba4213d931da5ad2768309032a7cd697000e054225f62eb

Android:

SHA256 Package Name App Label
7c840433020c33e16e942a39d53c593ce58db680a41955a8a29139cf022be8dd com[.]okosdfsdfhsh[.]www 触摸女神 (Touch the goddess)

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

Read more: App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

Incoming search terms

Story added 2. November 2017, content source with full text you can find at link above.