Apple . Security

Pawn Storm Fact Check

On February 15, 2015 by

Fortinet recently published a blog entry analyzing the Pawn Storm malware for iOS. There were some significant inaccuracies, however, and since Fortinet seems to be censoring website comments, I thought I’d post my critique here. Here are a few things important to note about the analysis that were grossly inaccurate.

First of important note is the researcher’s claim that the LSRequiresIPhoneOS property indicates that iPads are not targeted, but that the malware only runs on iPhone. Anyone who understands the iOS environment knows that the LSRequiresIPhoneOS tag simply indicates that the application is an iOS application; this tag can be set to true, and an application can still support iPad and any other iOS based devices (iPod, whatever). I mention this because anyone reading this article may assume that their iPad or iPod is not a potential target, and therefore never check it. If you suspect you could be a target of Pawn Storm, you should check all of your iOS based devices.

Second important thing to note: Most of the information the researcher claims the application gathers can only be gathered on jailbroken devices. This is because the jailbreak process in and of itself compromises Apple’s own sandbox in order to allow applications to continue to run correctly after Cydia has relocated crucial operating system files onto the user data partition. When running Cydia for the first time, several different folders get moved to the /var/stash folder on the user partition. Since this folder normally would not be accessible outside of Apple’s sandbox, the geniuses writing jailbreaks decided to break Apple’s sandbox so that you could run your bootleg versions of Angry Birds. Smart, huh?

Of course, there is far worse malware that can even be invisibly installed on a jailbroken iOS 8 device. The techniques used in Pawn Storm are quite juvenile and from all accounts, appears to be poorly written and ineffective on non-jailbroken devices.

In reality, Pawn Storm is severely limited on non-jailbroken devices, and in fact seems to be almost entirely dependent on the device being jailbroken. Files such as the SMS database and recent calls list are inaccessible from inside the sandbox (unless it’s been broken through the act of jail-breaking). A number of other features require permission from the user, such as the photo library and location. It does not appear that the application is coded to ask for permission, based on the researcher’s analysis. If this is the case, then all location requests will silently fail on non-jailbroken iOS 8 devices, which do not engage the user for permission unless the app is specifically coded to ask. If this is the case, then Pawn Storm doesn’t even account for users who are naive enough to grant permission to the app to spy on them.

Lastly and worthy of mention: battery drain may not always be the case; if you keep your device sitting on your desk at home or in your office, then even though the CLLocation distance filter is set to kCLDistanceFilterNone, the GPS will not continuously run as the article states, because there will be no movement detected. The GPS will only continue to run if the device is actively being moved around to a reasonable degree within a detectable lat/long.

Bottom line is this: If you are running an iOS 8 device and have not jailbroken it, there is very little information Pawn Storm can actually acquire unless you give it permission to. In spite of the FUD that Fortinet is trying to instill in everyone, Pawn Storm is a lot less dangerous than you are being led to believe.