Spyware detection m...
 
Notifications
Clear all

Spyware detection methodologies on iOS

8 Posts
5 Users
0 Likes
1,839 Views
(@giuseppem)
Posts: 24
Eminent Member
Topic starter
 

Good evening!

As the subject, I would like to know which is the best/right way to detect a spyware on iOS system.
I'm analyzing a iphone on behalf of the Public Prosecutor. The goal is to determine if a spyware has been installed, because the victim has reported being controlled by his former boyfriend. She reported that he was aware of her SMS, chat and always knew where she was.
I already performed a file system acquisition of the device and I also performed on this image a virus scan with the antimalware embedded in UFED Physical Analyzer (nothing detected). I also looked at one by one the list of installed applications. Obviously, this is not enough. I emphasize that the cell phone is that of the victim and not of the suspect.

Which way can I proceed further?

 
Posted : 29/06/2017 2:43 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Is the iphone JailBroken?

 
Posted : 29/06/2017 3:03 am
(@giuseppem)
Posts: 24
Eminent Member
Topic starter
 

Is the iphone JailBroken?

No, for what I have seen it is not jailbroken.

 
Posted : 29/06/2017 12:48 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

As iOS itself is heavily safeguarded e.g. every App sandboxed I would focus on finding a removed spy App. As an App can be installed by a second Apple ID and after logged out its difficult to find this App.

Do have the timeline out of iCloud App backup?

 
Posted : 29/06/2017 2:10 pm
(@giuseppem)
Posts: 24
Eminent Member
Topic starter
 

I would focus on finding a removed spy App.

Ok. But if the spy app is removed, how can it spy the phone??

Do have the timeline out of iCloud App backup?

I have performed advanced logical extraction method with UFED. Where can I find the timeline of iCloud backup?

 
Posted : 30/06/2017 1:12 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

I get these cases from time to time and am never really sure what to do with it.
On Android I can at least create a physical dump of (most) phones and run a malware search with PA. But I never actually found anything this way except some false positives.

On a jailbroken iPhone everything is possible, but I think less than 1% of iOS devices I get are jailbroken.

On a non-jailbroken iPhone i would argue that it is almost not possible that there is any spyware installed as software can only come from the Apple App store. The only exception is if there is some additional software installed via a developer certificate but then there is still the sandbox concept active so an app can't access another app's data.
If you look at Flexispy or mSpy homepage they state that the iPhone must be jailbroken and be on iOS 9.
So I would argue that if you have an iOS device which is running the (a) current iOS version which cannot be currently jailbroken than it is almost impossible that you could install spyware on it.

As far as I know, it is also not possible to remove a jailbreak without restoring the iPhone so it is not possible to jailbreak, install the spyware and then quietly un-jailbreak and leave the spyware running on the phone.

Maybe the attacker knows the iCloud Credentials and is able to download the backups. So I would alreays advice the client to use the latest software version, change their passwords and enable 2-factor authentication.

Of course, the above is only valid for "normal" cases like ex-partner is suspected for spying. If it is a very, very, very high profile case, I guess everything is possible, see https://en.wikipedia.org/wiki/Pegasus_(spyware). I guess only a handful devices were infected with Pegasus since it is very expensive if zero day exploits are burned.

 
Posted : 30/06/2017 1:38 pm
(@droopy)
Posts: 136
Estimable Member
 

Check if the icloud password is compromised.

 
Posted : 30/06/2017 7:00 pm
(@giuseppem)
Posts: 24
Eminent Member
Topic starter
 

Maybe the attacker knows the iCloud Credentials and is able to download the backups. So I would alreays advice the client to use the latest software version, change their passwords and enable 2-factor authentication.

I know for sure that the suspect knew the iCloud credentials victim's. When the suspect downloads the backup, will he be able to open it with whichever iTunes installation? Generally, when you connect the iPhone to the PC, you have to authorize that PC..

Check if the icloud password is compromised.

Yes, It is.

So at this point, for future case, can you tell me what you do to know if an iPhone is currently jailbroken?

 
Posted : 01/07/2017 11:33 am
Share: