FakeWallet crypto stealer spreading through iOS apps in the ...

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -95,6 +95,39 @@ Notes:
 - The tool can re-sign cross-platform by authenticating with Apple via **SRP** and generating a free dev certificate + provisioning profile. Apple’s **anisette** headers are handled per platform (macOS via `AOSKit.framework`, Linux via Anisette.py, Windows via an external anisette server).
 - This **does not** bypass the sandbox. The injected code runs inside the app process and can only access the app’s sandbox and keychain access groups.
 
+### Inspect trojanized sideloaded IPAs
+
+When reviewing an IPA obtained from a **phishing page**, **enterprise/developer provisioning profile**, or an **App Store stub app** that redirects users into Safari, assume the package may be a **trojanized rebuild** of a legitimate app rather than a clean sideload.
+
+Common triage steps:
+
+```bash
+# List embedded dynamic libraries / frameworks
+unzip -l suspicious.ipa | egrep '(\.dylib$|Frameworks/|embedded.mobileprovision)'
+
+# Inspect load commands looking for injected libraries
+otool -l Payload/<App>.app/<App> | egrep 'LC_LOAD_DYLIB|LC_LOAD_WEAK_DYLIB|name '
+
+# Inspect sections for unusual executable content or constructor arrays
+otool -l Payload/<App>.app/<App> | egrep 'sectname|segname|__mod_init_func|__TEXT|__DATA'
+
+# Dump Objective-C metadata and search for hook targets
+otool -oV Payload/<App>.app/<App> | egrep 'viewDidLoad|load]|Recovery|Phrase|Wallet|Seed|Mnemonic'
+strings -a Payload/<App>.app/<App> | egrep 'BIP-39|verify.html|WKWebView|UIWebView|dlsym|postByTokenPocket|Rsakey'
+```
+
+Useful heuristics:
+
+- **Provisioning-profile delivery chains**: a benign-looking **stub** app can open a browser URL that imitates the App Store and then pushes installation through **enterprise/developer provisioning profiles**. During triage, inspect the delivered IPA and `embedded.mobileprovision`, and on-device check `/Library/MobileDevice/ProvisioningProfiles` for unexpected profiles associated with the test.
+- **Mach-O load-command injection**: attackers can modify the main executable to add new `LC_LOAD_*` commands that force-load a malicious `.dylib` at startup without changing the visible app flow. Compare the load-command list and `Frameworks/` contents against a known-good release when possible.
+- **dyld initializer abuse**: once the library is loaded, look for **Objective-C `+load`** methods or constructor entries in **`__mod_init_func` / `__mod_init_functions`** that run before the user reaches the target screen. These initializers often load config, resolve C2 values, and then install hooks.
+- **Objective-C method hijacking**: inspect sensitive view-controller methods such as `-viewDidLoad`, `viewWillAppear:`, validation routines, or wallet restore/import flows. Swizzled/replaced methods commonly traverse subviews, extract mnemonic words, and exfiltrate them while still calling the original implementation to preserve UX.
+- **Custom executable sections**: not all implants rely on normal constructors. A modified app may contain a non-standard executable section such as **`__hook`** with trampoline code that calls `dlsym`, resolves symbols from a malicious library, executes attacker logic, and then jumps back to the original method.
+- **Local WebView phishing**: cold-wallet companion apps may not expose private keys directly, so malicious builds often render a native-looking `WKWebView` / `UIWebView` over a local HTML resource such as `verify.html`. Search bundled resources for **BIP-39** word lists, autocomplete logic, fake "security check" prompts, and JavaScript-to-native bridges that hand the seed phrase back to Objective-C/Swift.
+- **React Native implants**: for RN apps, review navigator definitions and added screens for phishing-only flows triggered after a realistic state change (for example, after device pairing). Interesting markers include screen names such as `MnemonicVerifyScreen`, persisted retry state like `verify-wallet-pending.json`, and background jobs that resume exfiltration on restart.
+
+If the goal is to confirm exfiltration logic, focus on the repeated pattern: **collect mnemonic words from UI elements or a phishing form, concatenate them, encrypt them, Base64-encode the result, and send it over HTTP together with wallet/app metadata**.
+
 ### USB-only access to the injected implant
 
 If the injected DYLIB exposes a local TCP control channel, you can keep traffic **off Wi-Fi/cellular** and forward it over USB:
@@ -211,5 +244,8 @@ MobSF will automatically deploy the binary, enable a Frida server inside the app
 - Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
 - [https://github.com/test1ng-guy/iOS-sandbox-explorer](https://github.com/test1ng-guy/iOS-sandbox-explorer)
 - [https://github.com/Saurabh221662/GadgetInjector](https://github.com/Saurabh221662/GadgetInjector)
+- [https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/](https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/)
+- [https://securelist.com/sparkkitty-ios-android-malware/116793/](https://securelist.com/sparkkitty-ios-android-malware/116793/)
+- [https://www.eset.com/in/about/newsroom/press-releases/research/eset-research-discovers-scheme-to-steal-cryptocurrency-from-android-and-iphone-users/](https://www.eset.com/in/about/newsroom/press-releases/research/eset-research-discovers-scheme-to-steal-cryptocurrency-from-android-and-iphone-users/)
 
 {{#include ../../banners/hacktricks-training.md}}