360 nirvanteam · 2015/10/29 10:10

0 x00 preface

Youmi advertising platform is owned by Youmi ™, a leading mobile messaging service provider, with its headquarters and R&D center in Guangzhou and a branch office in Beijing. Youmi advertising has core technologies and complete intellectual property rights, and has obtained a number of national patents. It is far ahead in key areas such as user feature recognition, accurate delivery, client cheating prevention and intelligent advertising delivery. Aiming at 700 million mobile phone users, Youmi Advertising is committed to providing accurate product marketing and brand promotion services to tens of thousands of corporate advertisers, and creating fair and high-quality advertising revenue for application developers.

The url is https://www.youmi.net/

Recently, SourceDNA researchers found that the iOS platform uses some apps with mi SDK to collect user privacy data, including the following four categories:

  1. A list of apps installed by the user on the phone;
  2. Collect device platform serial numbers when users run older versions of iOS;
  3. Collect device hardware components and component serial numbers when running the new iOS.
  4. The user’s Apple ID email address.

In the follow-up process, IT was found that sourceDNA updated the explanation on its weibo account, explaining whether it had obtained the Apple ID

https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html

Our Nirvanteam also carried out a detailed technical analysis of this.

The detailed process is analyzed as follows

0x01 Social Worker Obtains the iOS SDK

At present, it is not easy to find this SDK online, and Youmi is also trying to update the SDK.

Finally, the SOCIAL worker got the SDK.

0x02 SDK details analysis

After getting the SDK, direct strings could not search the URL, but the hijacked package found the URL and analyzed it and found that the URL was encoded. The URL is as follows:

http://ios.wall.youmi.net is the URL to send data in the http://stat.gw.youmi.net http://au.youmi.net/offer/ios/offers.manifest http://t.youmi.netCopy the code

Analyzing the SDK, we found that the SDK has a large number of proprietary apis.

Private apis are apis that are placed in the PrivateFrameworks framework. Apple generally does not allow apps to use these apis, as it is not uncommon for calls to private apis to be rejected in reviews. However, Apple’s approval process is not transparent, and many apps that use proprietary apis are approved, including Google Voice apps that also use proprietary apis and are approved. Even iBooks, Apple’s pre-installed App, was revealed to use a number of proprietary apis, preventing third-party apps from doing things like controlling brightness and calling dictionaries.

Reverse SDK analysis:

Through the analysis of URL to mine the sent data, sub_2DE18 function mainly obtains various information, as follows:

1) Obtain serial number information code:

IOServiceMatching("IOPlatformExpertDevice") io_service_t IOPlatformExpertDevicev_ios_service= IOServiceGetMatchingService)( addr_kIOMasterPortDefault, "IOPlatformExpertDevicev"); CFStringRef strref = CFStringCreateWithCString(kCFAllocatorDefault, IOPlatformSerialNumber_v64, 0x600); //Creates an immutable string from a C string. CFTypeRef SerialNumberAsCFString = IORegistryEntryCreateCFProperty(platformExpert, CFSTR("IOPlatformSerialNumber"), kCFAllocatorDefault, 0) ; if ( SerialNumberAsCFString ) { CFTypeID typeid = CFGetTypeID(SerialNumberAsCFString); if ( typeid == CFStringGetTypeID() ) { [NSString stringWithString:SerialNumberAsCFString]; // Obtain serial number 5K152FX7A4S}}Copy the code

2) Obtain the information of various devices mainly through the following functions.

getinfo_from_devicename_and_togetdict_infosub_1EC88((DeviceName, dict_v8); 
Copy the code

Pass in the device name and dictionary information to obtain information. The device name is used to obtain information, and the dictionary is used to obtain information. The function code is as follows:

 io_iterator_t iterator,iterator2;
            IORegistryEntryGetChildIterator(result2,"IOService", &iterator);
             io_iterator_t t = IOIteratorNext(iterator);
            char name[20];
            IORegistryEntryGetNameInPlane(result2,"IOService", name);
                if([DeviceName isEqualToString: name])
                {
               CFTypeRef data;
            IORegistryEntryCreateCFProperties_v25)(result2,
                            &data,
                            kCFAllocatorDefault,
                            0);

            if(CFGetTypeID(data) ==  CFDictionaryGetTypeID())
            {
            …………
Copy the code

For example, obtain the following device name:

  • The batteries’ – id
  • The camera AppleH4CamIn
  • IOS Accelerometer
  • WIFI information wlan
  • Bluetooth information
  • Device Characteristics TLC还是MLC内存 ASPStorage disk
  • Charge times AppleARMPMUCharger

Equipment information after the information stored in the APP/Library /. XABCD/nidayue dict the file, when you need to what information is read from here.

Writing this file is done by setting up the message function.

void __cdecl -[ChargerClinkeredConcertedly catalogueChoraleAlamo](struct ChargerClinkeredConcertedly *self, SEL a2)
{
  struct ChargerClinkeredConcertedly *v2; // [email protected]
  void *v3; // [email protected]
  void *v4; // [email protected]    

  v2 = self;
  v3 = objc_msgSend(&OBJC_CLASS___NSNotificationCenter, "defaultCenter");
  objc_msgSend(
    v3,
    "addObserver:selector:name:object:",
    v2,
    "approvementAviateBefitted:",
    UIApplicationWillTerminateNotification,
    0);
  v4 = objc_msgSend(&OBJC_CLASS___NSNotificationCenter, "defaultCenter");
  objc_msgSend(
    v4,
    "addObserver:selector:name:object:",
    v2,
    "consummatingCreators:",
    UIApplicationWillResignActiveNotification,
    0);
}
Copy the code

When the APP is installed, you need to close the APP or press the home button to go to the background to write the file information.

3) Obtain UUID information

4) Advertising identifier (IDFA- Identity fierfor Identifier)

ASIdentifierManager  sharedManager
Copy the code

The ASIdentifierManager singleton provides a method, advertisingIdentifier, which returns an instance of the NSUUID mentioned above.

NSString *adId = [[[ASIdentifierManager sharedManager] advertisingIdentifier] UUIDString];
Copy the code

5) Screen size 960*640 access method

[[UIScreen mainScreen] bounds]
[[UIScreen mainScreen] scale]
CGRectGetHeight
CGRectGetWidth
Copy the code

6) Obtain the phone device model as shown below:

The above function assumes that if the value of * servicenAME_A1 is hw.machine, the device hardware information is returned as iPhone3, 1

0x03 Hazard Analysis

Through analysis, the SDK obtained the following information (iPhone4 iOS7.12 for test) :

  1. The WIFI information of the device,

    BSSID = "d0:fa:1d:20:a:f8"; SSID = "360WIFI-200AF8 "; The name of a wireless AP. SSIDDATA = <33363057 6946692d 32303041 4638>;Copy the code

  2. Serial number IOPlatformSerialNumber 5K152FX7A4S

  3. Battery info Battery-id

  4. Camera information

  5. IOS acceleration sensor Low-temp-Accel-offset

  6. Bluetooth info Wifi-module-sn

  7. Device Characteristics TLC or MLC memory

  8. UUID information a2ab842508133b62b680b5f9efa1cd51
  9. Number of charges CycleCount
  10. Advertising identifier (IDFA-identifierForIdentifier)112fb7fe79fb4b7abf7a8e2ecaf57147
  11. __UDID information7a32771c3adf2ad0564c3cb2d6920bc6ef9818b7
  12. Screen size 960 x 640
  13. Mobile device model iPhone3,1
  14. By examining the process name, installed APP BundleID table, process module have iGrimace, org. Ioshack. IGrimace etc. To check the state of prison break, or escape from prison.
  15. The device name information is as followsD. Vice :iPhone3,1 Jailbreak:1 OS:iPhone OS Version:7.1.2 Name: "Panda" iPhone Model:iPhone

These messages are captured, compressed through Deflate, and sent again through a hybrid encryption. The encryption process is shown as follows:

After encryption, data is integrated into the URL and sent out through POST.

Send encryption as follows

NSURLConnection_start { cookie = ""; data = ""; host = "ios.wall.youmi.net"; method = GET; mime = ""; url = "Http://ios.wall.youmi.net/v3/reqf?s=1, 5, 8 aa2a777452acf72, lyOU, 1, bfDG9lgEuEfsVbWHLjyNZ - ESDTPXoRHqPZvukpsNiA9esOWBJTHnmel JwR4Mzd-tYlsbO1ROsjJAYN35ngXjNvMqdtMKUu2czR4hRqws3pU2UGYPMY6Z2Z-XGzxqhb9o1gJmB2cNMfczHb4Lu8ji7e5gOu-VQjLZiXCHEnMdls-OOyb 5e2wtU-wsQtK.Q0v6S692Tr-Qp8k-YcYMJ47vqcsnCJJdzehyw4W-uee7pHmmJJU1.jxMeHEKT4BpL8flP338p3HPN5Zx5DoAzEmNRdlvPui7LZiHyOxL0r8 adyZyJDkfAn8qE6PDBWmK1MUQ1jWa6ghwR4bPVQmrCMZcq6a1RUZzTJVKMQOokMswhs.JdRBIZMyyUrBuRf1IcHECc.Rj1jL1IdiwTdZaDLAzcLiKDMK3Pn2 22 k160lvqg6xhnazmw6gs. 9.0 yc. KZmbsUKZ7MZ5dCliJY8Izkk9A2SGpLI4zQ5MML5XPnobSVHlVQQ4tN4khqvAXVAJwLK91YdxrhFae1fNoi5BaCpj7fSn zRjF1j46Lygnv4DgT890oljclyzBgxbxBFrwuqV8tc1VpGqMvnX6sDlGVonzGOQnd9Yjwm3d3CE3PYwCSC1jafsTlw8AhwsyZ6E5gKqio4B-JlLavdFZF4xP fP4YeQngzZRAijN3QUXYT7ZVB5f5C9NdrDdrnmZTLx5B7jChaUbdI5sTs4zNXgaGUzFYOxmgxlxdxZGN6TSUMUS7k9SEygV0tAI-uARcuF1MSE.o76aoRR1J mtSPDSI7yPL1ooo2-CeLEOhQCzcgNrrkdx.ZL6LRyWkyOXcGISiaWKWFh0BAtzv2mFhBvArj7d1MsKMY57suR58v8rugnnEeFBtfNDKK7lQrZAKKfm7iGv-x mJ4f3DFtqo4OYOE0.Q8uSQblgnK24F3-x&p=1&n=100&nshw=1"; }Copy the code

Decryption of encrypted information is as follows:

{ 3gst = ""; The acc = 0.000000, 0.000000, 0.000000 "; accos = 1000010000000000c4bc1300612003004e260900; aicid = 47a903bcec614984acd1d0f88039d34a; apn = None; Av = "1.0"; batsn = ae15041460753d1420; bcsn = ""; bsi = ""; bssid = ec26cad6e5a; btsn = ""; cc = CN; chn = 0; chrcy = ""; cid = "eIyoH-ZvBqO_f"; cn = 2; Dd = "Device:iPhone3,1 Jailbreak:1 OS:iPhone OS Version:7.1.2 Name:\U201cpanda\U201d\ Trigger 84 iPhone Model:iPhone"; ddn = "\U201cpanda\U201d\U7684 iPhone"; ext = { attr = 195; it = 1; nshw = 1; reqt = 0; rtype = 1; sat = 3; wat = 3; }; fcsn = ""; Gyo = 0.000000, 0.000000, 0.000000, ""; hv = 2; ifa = 112fb7fe79fb4b7abf7a8e2ecaf57147; ifat = 1; ifst = 3155986; ise = 0; jb = 1; kernid = a2ab842508133b62b680b5f9efa1cd51; Lat = "0.00"; lc = "zh-Hans"; Lon = "0.00"; mac = ""; mcc = ""; mmcid = ""; mnc = ""; mod = iPhone; odfa = ""; oifa = 112fb7fe79fb4b7abf7a8e2ecaf57147; Osv = "7.1.2"; pd = 3; pn = "feng.YouMiWallSample"; po = "iPhone OS"; Rb = "1.000000"; rt = 1445444547; sh = 960; smv = 1; sn = 5K152FX7A4S; spc = ""; ssid = "TP-LINK_2510"; Sv = "5.3.0"; sw = 640; tid = 005ecs1rcn0k1dltd0o8dngsruf; ts = 0; udid = 7a32771c3adf2ad0564c3cb2d6920bc6ef9818b7; usb = 2; user = "this is user"; vpn = 0; wifisn = ""; }Copy the code

0x04 Results and Summary

A total of 1,035 Apple apps were found to be infected by scanning a large number of samples. For specific version information, see another document

1) Youmi SDK is mainly used to make statistics on the use of device types, so as to judge the market situation and obtain benefits.

2) Private API through static scanning means little, generally can pass Apple review, private API are processed, so check private API through dynamic HOOK to check.

3) Generally, the use of private API is generally in the start-up stage, so it is feasible to automate the dynamic scanning APP running stage.

Attachment: You mi iOS malicious SDK infection list