iPhone Rootkit…fsck!

Here’s a simple /var/mobile directory listing of my iPhone on 10.1.1 (jailbroken). Can you find anything wrong with it?

Model: iPhone 6S Plus 128GB
iOS v: 10.1.1
Root?: Yes



iPhone:/var/mobile root# ls -laG /usr/bin/
total 23232
drwxr-xr-x 2 root 8942 Jan 28 06:00 .
drwxr-xr-x 12 root 408 Dec 23 08:17 ..
-r-xr-xr-x 1 root 34 Jul 27 2008 7z
-r-xr-xr-x 1 root 35 Jul 27 2008 7za
-rwxr-xr-x 1 root 36928 Sep 29 22:08 DumpBasebandCrash
-rwxr-xr-x 1 root 105312 Oct 13 2015 [
-rwxr-xr-x 1 root 13136 Sep 7 2010 appsearch
-rwxr-xr-x 1 root 81920 Jun 12 2014 apt-cache
-rwxr-xr-x 1 root 30176 Jun 12 2014 apt-cdrom
-rwxr-xr-x 1 root 19440 Jun 12 2014 apt-config
-rwxr-xr-x 1 root 34096 Jun 12 2014 apt-extracttemplates
-rwxr-xr-x 1 root 277632 Jun 12 2014 apt-ftparchive
-rwxr-xr-x 1 root 177408 Jun 12 2014 apt-get
-rwxr-xr-x 1 root 6558 Feb 24 2010 apt-key
-rwxr-xr-x 1 root 3143 Jun 12 2014 apt-mark
-rwxr-xr-x 1 root 46096 Jun 12 2014 apt-sortpkgs
-rwxr-xr-x 1 root 52240 Oct 13 2015 arch
-rwxr-xr-x 1 mobile 50912 Jan 29 2016 asu_inject
-rwxr-xr-x 1 root 18483 Oct 18 2015 autopoint
-rwxr-xr-x 1 root 105488 Oct 13 2015 base64
-rwxr-xr-x 1 root 105104 Oct 13 2015 basename
-r-xr-xr-x 1 root 6823 Jan 7 2016 bashbug
-rwxr-xr-x 1 root 191664 Sep 23 19:46 brctl
-rwxr-xr-x 1 root 3667 Oct 6 2015 c_rehash
lrwxrwxrwx 1 root 3 Dec 23 02:17 captoinfo -> tic
-rwxr-xr-x 1 root 49856 Jul 22 2016 cfversion
-rwxr-xr-x 1 root 125072 Oct 13 2015 chcon
-rwxr-xr-x 1 root 13712 Sep 6 2013 chflags
lrwxrwxrwx 1 root 6 Dec 23 02:17 chfn -> chpass
lrwxr-xr-x 1 root 10 Jan 6 09:22 chown -> /bin/chown
lrwxrwxrwx 1 root 6 Dec 23 02:17 chsh -> chpass
-rwxr-xr-x 1 root 105104 Oct 13 2015 cksum
-rwxr-xr-x 1 root 50336 Oct 14 2015 clear
-rwxr-xr-x 1 root 28256 Apr 11 2009 cmp
-rwxr-xr-x 1 root 105856 Oct 13 2015 comm
-rwxr-xr-x 1 root 26992 Sep 6 2013 compress
-rwxr-xr-x 1 root 176784 Oct 13 2015 csplit
-rwxr-xr-x 1 root 172384 Oct 17 2015 curl
-rwxr-xr-x 1 root 5184 Oct 17 2015 curl-config
-rwxr-xr-x 1 root 107152 Oct 13 2015 cut
lrwxr-xr-x 1 root 58 Dec 23 07:55 cycc -> /Library/Frameworks/CydiaSubstrate.framework/Commands/cycc
lrwxr-xr-x 1 root 61 Dec 23 07:55 cynject -> /Library/Frameworks/CydiaSubstrate.framework/Commands/cynject
-r-xr-xr-x 1 root 50400 Oct 14 2015 db_archive
-r-xr-xr-x 1 root 50640 Oct 14 2015 db_checkpoint
-r-xr-xr-x 1 root 50688 Oct 14 2015 db_codegen
-r-xr-xr-x 1 root 50672 Oct 14 2015 db_deadlock
-r-xr-xr-x 1 root 50640 Oct 14 2015 db_dump
-r-xr-xr-x 1 root 51152 Oct 14 2015 db_hotbackup
-r-xr-xr-x 1 root 50928 Oct 14 2015 db_load
-r-xr-xr-x 1 root 86416 Oct 14 2015 db_printlog
-r-xr-xr-x 1 root 50624 Oct 14 2015 db_recover
-r-xr-xr-x 1 root 50448 Oct 14 2015 db_stat
-r-xr-xr-x 1 root 50464 Oct 14 2015 db_upgrade
-r-xr-xr-x 1 root 50464 Oct 14 2015 db_verify
-rwxr-xr-x 1 root 14080 Aug 22 2010 deviceinfo
-rwxr-xr-x 1 root 143296 Oct 13 2015 df
-rwxr-xr-x 1 root 108400 Apr 11 2009 diff
-rwxr-xr-x 1 root 28256 Apr 11 2009 diff3
-rwxr-xr-x 1 root 105728 Oct 13 2015 dircolors
-rwxr-xr-x 1 root 104992 Oct 13 2015 dirname
-rwxr-xr-x 1 root 12636 Dec 24 2010 doNotify
-rwxr-xr-x 1 root 220224 Jun 19 2016 dpkg
-rwxr-xr-x 1 root 130304 Jun 19 2016 dpkg-deb
-rwxr-xr-x 1 root 4487 Jun 19 2016 dpkg-name
-rwxr-xr-x 1 root 130784 Jun 19 2016 dpkg-query
-rwxr-xr-x 1 root 71856 Jun 19 2016 dpkg-split
-rwxr-xr-x 1 root 112240 Jun 19 2016 dpkg-trigger
-rwxr-xr-x 1 root 191584 Jun 19 2016 dselect
-rwxr-xr-x 1 root 178736 Oct 13 2015 du
-rwxr-xr-x 1 root 105088 Oct 13 2015 env
-rwxr-xr-x 1 root 70288 Oct 18 2015 envsubst
-rwxr-xr-x 1 root 105488 Oct 13 2015 expand
-rwxr-xr-x 1 root 175472 Oct 13 2015 expr
-rwxr-xr-x 1 root 105376 Oct 13 2015 factor
-rwxr-xr-x 1 root 23432 Dec 24 2010 faker
-rwxr-xr-x 1 root 184144 Nov 3 2015 find
-rwxr-xr-x 1 root 106112 Oct 13 2015 fmt
-rwxr-xr-x 1 root 105424 Oct 13 2015 fold
-rwxr-xr-x 1 root 104304 Apr 13 2009 ftp
-rwxr-xr-x 1 root 35072 Jan 27 2013 funzip
-rwxr-xr-x 1 root 69152 Oct 13 2015 getconf
-rwxr-xr-x 1 root 70048 Oct 18 2015 gettext
-rwxr-xr-x 1 root 4653 Oct 18 2015 gettext.sh
-rwxr-xr-x 1 root 41942 Oct 18 2015 gettextize
-rwxr-xr-x 1 root 88512 Oct 13 2015 getty
-rwxr-xr-x 1 root 1065424 Apr 24 2009 gpg
-rwxr-xr-x 1 root 3302 Apr 24 2009 gpg-zip
-rwxr-xr-x 1 root 55088 Apr 24 2009 gpgsplit
-rwxr-xr-x 1 root 428640 Apr 24 2009 gpgv
-rwxr-xr-x 1 root 105280 Oct 13 2015 groups
-rwxr-xr-x 1 root 52000 Jul 22 2016 gssc
-rwxr-xr-x 1 root 105600 Oct 13 2015 head
-rwxr-xr-x 1 root 104960 Oct 13 2015 hostid
-rwxr-xr-x 1 root 52352 Oct 13 2015 hostinfo
-rwxr-xr-x 1 root 46352 Apr 13 2009 hostname
-rwxr-xr-x 1 root 105504 Oct 13 2015 id
-rwxr-xr-x 1 root 87584 Oct 14 2015 infocmp
lrwxrwxrwx 1 root 3 Dec 23 02:17 infotocap -> tic
-rwxr-xr-x 1 root 162832 Oct 13 2015 install
-rwxr-xr-x 1 root 50496 Jul 22 2016 iomfsetgamma
-rwxr-xr-x 1 root 9344 Sep 21 2009 ip-print
-rwxr-xr-x 1 root 50784 Oct 13 2015 ip6conf
-rwxr-xr-x 1 root 13792 Sep 6 2013 ipcrm
-rwxr-xr-x 1 root 22112 Sep 6 2013 ipcs
-rwxr-xr-x 1 root 106816 Oct 13 2015 join
-rwxr-xr-x 1 root 35712 Sep 23 19:03 kbdebug
-rwxr-xr-x 1 root 51472 Oct 27 2015 killall
-rwxr-xr-x 1 root 133952 Jun 29 2015 ldid
-rwxr-xr-x 1 root 50352 Jul 22 2016 ldrestart
-rwxr-xr-x 1 root 133952 Jul 30 2009 less
-rwxr-xr-x 1 root 13328 Jul 30 2009 lessecho
-rwxr-xr-x 1 root 18288 Jul 30 2009 lesskey
-rwxr-xr-x 1 root 105056 Oct 13 2015 link
-rwxr-xr-x 1 root 143360 Nov 3 2015 locate
-rwxr-xr-x 1 root 41808 Apr 13 2009 logger
-rwsr-xr-x 1 root 71552 Oct 13 2015 login
-rwxr-xr-x 1 root 104976 Oct 13 2015 logname
lrwxrwxrwx 1 root 4 Dec 23 02:17 lzcat -> lzma
lrwxrwxrwx 1 root 6 Dec 23 02:17 lzcmp -> lzdiff
-rwxr-xr-x 1 root 1912 Oct 6 2015 lzdiff
lrwxrwxrwx 1 root 6 Dec 23 02:17 lzegrep -> lzgrep
lrwxrwxrwx 1 root 6 Dec 23 02:17 lzfgrep -> lzgrep
-rwxr-xr-x 1 root 3335 Oct 6 2015 lzgrep
lrwxrwxrwx 1 root 6 Dec 23 02:17 lzless -> lzmore
-rwxr-xr-x 1 root 192288 Oct 6 2015 lzma
-rwxr-xr-x 1 root 50704 Oct 6 2015 lzmadec
-rwxr-xr-x 1 root 50752 Oct 6 2015 lzmainfo
-rwxr-xr-x 1 root 1970 Oct 6 2015 lzmore
-rwxr-xr-x 1 root 105728 Oct 13 2015 md5sum
-rwxr-xr-x 1 root 105104 Oct 13 2015 mkfifo
lrwxr-xr-x 1 root 11 Jan 6 09:22 mktemp -> /bin/mktemp
lrwxr-xr-x 1 root 4 Jan 28 05:57 more -> less
-rwxr-xr-x 1 root 51952 Oct 18 2015 msgattrib
-rwxr-xr-x 1 root 52160 Oct 18 2015 msgcat
-rwxr-xr-x 1 root 51808 Oct 18 2015 msgcmp
-rwxr-xr-x 1 root 52112 Oct 18 2015 msgcomm
-rwxr-xr-x 1 root 51840 Oct 18 2015 msgconv
-rwxr-xr-x 1 root 51776 Oct 18 2015 msgen
-rwxr-xr-x 1 root 51664 Oct 18 2015 msgexec
-rwxr-xr-x 1 root 52608 Oct 18 2015 msgfilter
-rwxr-xr-x 1 root 90160 Oct 18 2015 msgfmt
-rwxr-xr-x 1 root 139872 Oct 18 2015 msggrep
-rwxr-xr-x 1 root 71344 Oct 18 2015 msginit
-rwxr-xr-x 1 root 71968 Oct 18 2015 msgmerge
-rwxr-xr-x 1 root 53424 Oct 18 2015 msgunfmt
-rwxr-xr-x 1 root 52000 Oct 18 2015 msguniq
-rwxr-xr-x 1 root 209008 Sep 6 2013 nano
-rwxr-xr-x 1 root 4995 Oct 14 2015 ncurses5-config
-rwxr-xr-x 1 root 4996 Oct 14 2015 ncursesw5-config
-rwxr-xr-x 1 root 70048 Oct 18 2015 ngettext
-rwxr-xr-x 1 root 105168 Oct 13 2015 nice
-rwxr-xr-x 1 root 176144 Oct 13 2015 nl
-rwxr-xr-x 1 root 105376 Oct 13 2015 nohup
-rwxr-xr-x 1 root 42628 Aug 10 2010 notificationWatcher
-rwxr-xr-x 1 root 105120 Oct 13 2015 nproc
-rwxr-xr-x 1 root 124240 Oct 13 2015 od
-rwxr-xr-x 1 root 13072 Sep 21 2009 openURL
-rwxr-xr-x 1 root 436848 Oct 6 2015 openssl
-rwxr-xr-x 1 12270 1911 May 1 1999 pagesize
-rwsr-xr-x 1 root 69552 Oct 13 2015 passwd
-rwxr-xr-x 1 root 105088 Oct 13 2015 paste
-rwxr-xr-x 1 root 105120 Oct 13 2015 pathchk
-rwxr-xr-x 1 root 191584 Sep 6 2013 pax
-rwxr-xr-x 1 root 13152 Sep 21 2009 pbcopy
-rwxr-xr-x 1 root 13200 Sep 21 2009 pbpaste
lrwxr-xr-x 1 root 9 Dec 23 08:20 ping -> /bin/ping
-rwxr-xr-x 1 root 106240 Oct 13 2015 pinky
-rwxr-xr-x 1 root 13936 Dec 24 2010 play
-rwxr-xr-x 1 root 67952 Sep 21 2009 plutil
-rwxr-xr-x 1 root 36416 Sep 23 19:16 powerlogHelperd
-rwxr-xr-x 1 root 36688 Sep 23 19:16 powerlogd
-rwxr-xr-x 1 root 141776 Oct 13 2015 pr
-rwxr-xr-x 1 root 104880 Oct 13 2015 printenv
-rwxr-xr-x 1 root 105360 Oct 13 2015 printf
-rwxr-xr-x 1 root 194304 Oct 13 2015 ptx
-rwsr-xr-x 1 root 22576 Mar 27 2010 quota
-rwsrwxr-x 1 root 28272 Apr 13 2009 rcp
-rwxr-xr-x 1 root 51360 Oct 18 2015 recode-sr-latin
-rwxr-xr-x 1 root 50512 Oct 27 2015 renice
lrwxrwxrwx 1 root 4 Dec 23 02:17 reset -> tset
-rwxr-xr-x 1 root 13412 Dec 23 2010 restart
-rwsrwxr-x 1 root 47248 Apr 13 2009 rlogin
lrwxr-xr-x 1 root 4 Dec 23 08:18 rnano -> nano
-rwsrwxr-x 1 root 23056 Apr 13 2009 rsh
-rwxr-xr-x 1 root 104976 Oct 13 2015 runcon
-rwxr-xr-x 1 root 13968 Dec 24 2010 say
-rwxr-xr-x 1 root 50224 Jul 22 2016 sbdidlaunch
-rwxr-xr-x 1 root 51968 Jul 22 2016 sbreload
-rwxr-xr-x 1 root 93216 Jan 8 2016 scp
-rwxr-xr-x 1 root 51424 Oct 27 2015 script
-rwxr-xr-x 1 root 28880 Apr 11 2009 sdiff
-rwxr-xr-x 1 root 105392 Oct 13 2015 seq
-rwxr-xr-x 1 root 129248 Jan 8 2016 sftp
-rwxr-xr-x 1 root 105728 Oct 13 2015 sha1sum
-rwxr-xr-x 1 root 122384 Oct 13 2015 sha224sum
-rwxr-xr-x 1 root 122384 Oct 13 2015 sha256sum
-rwxr-xr-x 1 root 221168 Oct 13 2015 sha384sum
-rwxr-xr-x 1 root 221168 Oct 13 2015 sha512sum
-rwxr-xr-x 1 root 125648 Oct 13 2015 shred
-rwxr-xr-x 1 root 106464 Oct 13 2015 shuf
-rwxr-xr-x 1 root 37616 Sep 29 22:08 simulatecrash
lrwxr-xr-x 1 root 5 Dec 23 07:42 slogin -> ./ssh
-rwxr-xr-x 1 root 161984 Oct 13 2015 sort
-rwxr-xr-x 1 root 123536 Oct 13 2015 split
-rwxr-xr-x 1 root 663408 Jan 8 2016 ssh
-rwxr-xr-x 1 root 406208 Jan 8 2016 ssh-add
-rwxr-xr-x 1 root 423488 Jan 8 2016 ssh-agent
-rwxr-xr-x 1 root 479216 Jan 8 2016 ssh-keygen
-rwxr-xr-x 1 root 518112 Jan 8 2016 ssh-keyscan
-rwxr-xr-x 1 root 125696 Oct 13 2015 stat
-rwxr-xr-x 1 root 105952 Oct 13 2015 sum
-rwxr-xr-x 1 root 50880 Oct 12 2015 sw_vers
-rwxr-xr-x 1 root 459872 Sep 23 19:02 sysdiagnose
-rwxr-xr-x 1 root 159120 Oct 13 2015 tac
-rwxr-xr-x 1 root 123344 Oct 13 2015 tail
-rwxr-xr-x 1 root 60928 Sep 23 18:51 tailspin
-rwxr-xr-x 1 root 29328 Apr 13 2009 talk
lrwxrwxrwx 1 root 8 Dec 23 02:17 tar -> /bin/tar
-rwxr-xr-x 1 root 53712 Sep 29 22:07 taskinfo
-rwxr-xr-x 1 root 105280 Oct 13 2015 tee
-rwxr-xr-x 1 root 80496 Apr 13 2009 telnet
-rwxr-xr-x 1 root 105104 Oct 13 2015 test
-rwxr-xr-x 1 root 25264 Apr 13 2009 tftp
-rwxr-xr-x 1 root 87856 Oct 14 2015 tic
-rwxr-xr-x 1 root 50640 Oct 27 2015 time
-rwxr-xr-x 1 root 122976 Oct 13 2015 timeout
-rwxr-xr-x 1 root 51792 Oct 14 2015 toe
-rwsr-xr-x 1 root 423792 May 13 2009 top
-rwxr-xr-x 1 root 51712 Oct 14 2015 tput
-rwxr-xr-x 1 root 122768 Oct 13 2015 tr
-rwxr-xr-x 1 root 122672 Oct 13 2015 truncate
-rwxr-xr-x 1 root 52288 Oct 14 2015 tset
-rwxr-xr-x 1 root 105648 Oct 13 2015 tsort
-rwxr-xr-x 1 root 104992 Oct 13 2015 tty
-rwxr-xr-x 1 root 52224 Jul 22 2016 uicache
-rwxr-xr-x 1 root 50160 Jul 22 2016 uiduid
-rwxr-xr-x 1 root 50368 Jul 22 2016 uiopen
-rwxr-xr-x 1 root 105472 Oct 13 2015 unexpand
-rwxr-xr-x 1 root 106368 Oct 13 2015 uniq
-rwxr-xr-x 1 root 105072 Oct 13 2015 unlink
lrwxrwxrwx 1 root 4 Dec 23 02:17 unlzma -> lzma
-rwxr-xr-x 1 root 272368 Jan 27 2013 unrar
-rwxr-xr-x 1 root 171376 Jan 27 2013 unzip
-rwxr-xr-x 1 root 84768 Jan 27 2013 unzipsfx
-rwxr-xr-x 1 root 8641 Nov 3 2015 updatedb
-rwxr-xr-x 1 root 122128 Oct 13 2015 uptime
-rwxr-xr-x 1 root 14000 Aug 10 2010 urlclip
-rwxr-xr-x 1 root 105264 Oct 13 2015 users
-rwxr-xr-x 1 root 34496 Sep 23 17:19 vm_stat
-rwxr-xr-x 1 root 106672 Oct 13 2015 wc
-rwxr-xr-x 1 root 452640 Dec 3 2014 wget
-rwxr-xr-x 1 root 50736 Oct 27 2015 which
-rwxr-xr-x 1 root 106624 Oct 13 2015 who
-rwxr-xr-x 1 root 105008 Oct 13 2015 whoami
-rwxr-xr-x 1 root 180896 Feb 25 2016 wifiutil
-rwxr-xr-x 1 root 71584 Nov 3 2015 xargs
-rwxr-xr-x 1 root 238352 Oct 18 2015 xgettext
-rwxr-xr-x 1 root 104912 Oct 13 2015 yes
-rwxr-xr-x 1 root 98864 Jan 27 2013 zip
-rwxr-xr-x 1 root 37040 Jan 27 2013 zipcloak
-rwxr-xr-x 1 root 32304 Jan 27 2013 zipnote
-rwxr-xr-x 1 root 36720 Jan 27 2013 zipsplit
-rwxr-xr-x 1 root 36816 Sep 23 17:19 zprint


The bolded binaries above don’t encompass all the .bins I am suspicious of having its file descriptor pointing elsewhere, entirely replaced with a custom binary, or added into the directory in addition to the .bin utilities already added through trusted repositories.

Date of jailbreak was on December 23rd, 2016 with Zero Day exploit using mach_portal and Yalu facilitated using my MacBook Pro on macOS 10.12. However, anomalies including GUI alterations, incorrect battery level reports, and temporary lockouts have occurred on multiple occasions since September 2016. 

The temporary lockouts were quite an interesting case. It seems that the battery level parameter and/or thermal protection features have been compromised. Through a backdoor over any means of wireless communication, one can activate this shutdown sequence at any given moment in time to wash the screen with a black backlit screen similar to one observed when one manually turns their iPhone off. Following 4~5 seconds, the backlight to the display would shut off and any attempts to turn the iPhone on through the power button would result in a the “charge yo iPhone” brah, screen we’re all used to. Keep in mind, this would happen at battery levels reported to be at 28%, 35%, etc. 

The only way to turn the phone back on at that point would be to initiate a hard reset holding down the home button and power button for 5 seconds. I noticed the phone would successfully bypass the charge your iPhone screen and successfully boot into the lock screen. At this point entering my passcode gets me into the home screen with a battery level reporting to be . But get this, the phone initiates the same shutdown sequence after loitering on the screen for ~10 seconds. The remedy to this would be only to plug the phone into a lightning cable or eject the SIM card (with airplane mode toggled at some point beforehand).

I’d appreciate some direction or confirmation of my above suspicions. 
If you’ve ever seen “NSXPCConnetion.user.[int]” in your debug logs, I’d raise some suspicion.

img_1496

https://outofbedlam.github.io/swift/2016/02/04/Alamofire/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s