From a4a187b2bb7100524e84aa5bf337dcadbb2fb066 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 20 Apr 2026 13:36:44 +0000 Subject: [PATCH] Add content from: FakeWallet crypto stealer spreading through iOS apps in the ... --- .../ios-pentesting-without-jailbreak.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 79cecd83d20..4ac88efe388 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -95,6 +95,39 @@ Notes: - The tool can re-sign cross-platform by authenticating with Apple via **SRP** and generating a free dev certificate + provisioning profile. Apple’s **anisette** headers are handled per platform (macOS via `AOSKit.framework`, Linux via Anisette.py, Windows via an external anisette server). - This **does not** bypass the sandbox. The injected code runs inside the app process and can only access the app’s sandbox and keychain access groups. +### Inspect trojanized sideloaded IPAs + +When reviewing an IPA obtained from a **phishing page**, **enterprise/developer provisioning profile**, or an **App Store stub app** that redirects users into Safari, assume the package may be a **trojanized rebuild** of a legitimate app rather than a clean sideload. + +Common triage steps: + +```bash +# List embedded dynamic libraries / frameworks +unzip -l suspicious.ipa | egrep '(\.dylib$|Frameworks/|embedded.mobileprovision)' + +# Inspect load commands looking for injected libraries +otool -l Payload/.app/ | egrep 'LC_LOAD_DYLIB|LC_LOAD_WEAK_DYLIB|name ' + +# Inspect sections for unusual executable content or constructor arrays +otool -l Payload/.app/ | egrep 'sectname|segname|__mod_init_func|__TEXT|__DATA' + +# Dump Objective-C metadata and search for hook targets +otool -oV Payload/.app/ | egrep 'viewDidLoad|load]|Recovery|Phrase|Wallet|Seed|Mnemonic' +strings -a Payload/.app/ | egrep 'BIP-39|verify.html|WKWebView|UIWebView|dlsym|postByTokenPocket|Rsakey' +``` + +Useful heuristics: + +- **Provisioning-profile delivery chains**: a benign-looking **stub** app can open a browser URL that imitates the App Store and then pushes installation through **enterprise/developer provisioning profiles**. During triage, inspect the delivered IPA and `embedded.mobileprovision`, and on-device check `/Library/MobileDevice/ProvisioningProfiles` for unexpected profiles associated with the test. +- **Mach-O load-command injection**: attackers can modify the main executable to add new `LC_LOAD_*` commands that force-load a malicious `.dylib` at startup without changing the visible app flow. Compare the load-command list and `Frameworks/` contents against a known-good release when possible. +- **dyld initializer abuse**: once the library is loaded, look for **Objective-C `+load`** methods or constructor entries in **`__mod_init_func` / `__mod_init_functions`** that run before the user reaches the target screen. These initializers often load config, resolve C2 values, and then install hooks. +- **Objective-C method hijacking**: inspect sensitive view-controller methods such as `-viewDidLoad`, `viewWillAppear:`, validation routines, or wallet restore/import flows. Swizzled/replaced methods commonly traverse subviews, extract mnemonic words, and exfiltrate them while still calling the original implementation to preserve UX. +- **Custom executable sections**: not all implants rely on normal constructors. A modified app may contain a non-standard executable section such as **`__hook`** with trampoline code that calls `dlsym`, resolves symbols from a malicious library, executes attacker logic, and then jumps back to the original method. +- **Local WebView phishing**: cold-wallet companion apps may not expose private keys directly, so malicious builds often render a native-looking `WKWebView` / `UIWebView` over a local HTML resource such as `verify.html`. Search bundled resources for **BIP-39** word lists, autocomplete logic, fake "security check" prompts, and JavaScript-to-native bridges that hand the seed phrase back to Objective-C/Swift. +- **React Native implants**: for RN apps, review navigator definitions and added screens for phishing-only flows triggered after a realistic state change (for example, after device pairing). Interesting markers include screen names such as `MnemonicVerifyScreen`, persisted retry state like `verify-wallet-pending.json`, and background jobs that resume exfiltration on restart. + +If the goal is to confirm exfiltration logic, focus on the repeated pattern: **collect mnemonic words from UI elements or a phishing form, concatenate them, encrypt them, Base64-encode the result, and send it over HTTP together with wallet/app metadata**. + ### USB-only access to the injected implant If the injected DYLIB exposes a local TCP control channel, you can keep traffic **off Wi-Fi/cellular** and forward it over USB: @@ -211,5 +244,8 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app - Mobile Security Framework (MobSF): - [https://github.com/test1ng-guy/iOS-sandbox-explorer](https://github.com/test1ng-guy/iOS-sandbox-explorer) - [https://github.com/Saurabh221662/GadgetInjector](https://github.com/Saurabh221662/GadgetInjector) +- [https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/](https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/) +- [https://securelist.com/sparkkitty-ios-android-malware/116793/](https://securelist.com/sparkkitty-ios-android-malware/116793/) +- [https://www.eset.com/in/about/newsroom/press-releases/research/eset-research-discovers-scheme-to-steal-cryptocurrency-from-android-and-iphone-users/](https://www.eset.com/in/about/newsroom/press-releases/research/eset-research-discovers-scheme-to-steal-cryptocurrency-from-android-and-iphone-users/) {{#include ../../banners/hacktricks-training.md}}