Spyware detection m...
 
Notifications
Clear all

Spyware detection methodologies on iOS  

  RSS
giuseppem
(@giuseppem)
New Member

Good evening!

As the subject, I would like to know which is the best/right way to detect a spyware on iOS system.
I'm analyzing a iphone on behalf of the Public Prosecutor. The goal is to determine if a spyware has been installed, because the victim has reported being controlled by his former boyfriend. She reported that he was aware of her SMS, chat and always knew where she was.
I already performed a file system acquisition of the device and I also performed on this image a virus scan with the antimalware embedded in UFED Physical Analyzer (nothing detected). I also looked at one by one the list of installed applications. Obviously, this is not enough. I emphasize that the cell phone is that of the victim and not of the suspect.

Which way can I proceed further?

Quote
Posted : 29/06/2017 3:43 am
(@igor_michailov)
Senior Member

Is the iphone JailBroken?

ReplyQuote
Posted : 29/06/2017 4:03 am
giuseppem
(@giuseppem)
New Member

Is the iphone JailBroken?

No, for what I have seen it is not jailbroken.

ReplyQuote
Posted : 29/06/2017 1:48 pm
RolfGutmann
(@rolfgutmann)
Community Legend

As iOS itself is heavily safeguarded e.g. every App sandboxed I would focus on finding a removed spy App. As an App can be installed by a second Apple ID and after logged out its difficult to find this App.

Do have the timeline out of iCloud App backup?

ReplyQuote
Posted : 29/06/2017 3:10 pm
giuseppem
(@giuseppem)
New Member

I would focus on finding a removed spy App.

Ok. But if the spy app is removed, how can it spy the phone??

Do have the timeline out of iCloud App backup?

I have performed advanced logical extraction method with UFED. Where can I find the timeline of iCloud backup?

ReplyQuote
Posted : 30/06/2017 2:12 pm
(@sambrown)
Member

I get these cases from time to time and am never really sure what to do with it.
On Android I can at least create a physical dump of (most) phones and run a malware search with PA. But I never actually found anything this way except some false positives.

On a jailbroken iPhone everything is possible, but I think less than 1% of iOS devices I get are jailbroken.

On a non-jailbroken iPhone i would argue that it is almost not possible that there is any spyware installed as software can only come from the Apple App store. The only exception is if there is some additional software installed via a developer certificate but then there is still the sandbox concept active so an app can't access another app's data.
If you look at Flexispy or mSpy homepage they state that the iPhone must be jailbroken and be on iOS 9.
So I would argue that if you have an iOS device which is running the (a) current iOS version which cannot be currently jailbroken than it is almost impossible that you could install spyware on it.

As far as I know, it is also not possible to remove a jailbreak without restoring the iPhone so it is not possible to jailbreak, install the spyware and then quietly un-jailbreak and leave the spyware running on the phone.

Maybe the attacker knows the iCloud Credentials and is able to download the backups. So I would alreays advice the client to use the latest software version, change their passwords and enable 2-factor authentication.

Of course, the above is only valid for "normal" cases like ex-partner is suspected for spying. If it is a very, very, very high profile case, I guess everything is possible, see https://en.wikipedia.org/wiki/Pegasus_(spyware). I guess only a handful devices were infected with Pegasus since it is very expensive if zero day exploits are burned.

ReplyQuote
Posted : 30/06/2017 2:38 pm
droopy
(@droopy)
Active Member

Check if the icloud password is compromised.

ReplyQuote
Posted : 30/06/2017 8:00 pm
giuseppem
(@giuseppem)
New Member

Maybe the attacker knows the iCloud Credentials and is able to download the backups. So I would alreays advice the client to use the latest software version, change their passwords and enable 2-factor authentication.

I know for sure that the suspect knew the iCloud credentials victim's. When the suspect downloads the backup, will he be able to open it with whichever iTunes installation? Generally, when you connect the iPhone to the PC, you have to authorize that PC..

Check if the icloud password is compromised.

Yes, It is.

So at this point, for future case, can you tell me what you do to know if an iPhone is currently jailbroken?

ReplyQuote
Posted : 01/07/2017 12:33 pm
Share: