Dr. Jekyll and Mr. “Hide” – How Covert Malware Made it into Apple’s App Store

Share this blog

Dr. Jekyll and Mr. “Hide” - How Covert Malware Made it into Apple’s App Store

Today, enterprises feature a mixture of corporate and employee-owned mobile devices with the average individual downloading anywhere from 60 to 90 apps onto his/her mobile device. A fact keeping many CISOs up at night because while most apps are safe, even one malicious app – inadvertently downloaded – can compromise an entire organization. 

The Zimperium research team (zLabs) recently uncovered a hidden and disturbing operation where malicious actors are circumventing Apple’s App Store review process, evading security controls and placing malware in the App Store. 

zLabs discovered: 

  • More than 20 malicious apps in the Apple App Store – from several separate sources – using similar, if not the same techniques to circumvent the Apple review process. 
  • These malicious apps contained hidden, potentially malicious functionalities that activated only after the Apple Review process had been completed and the apps were downloaded by an unsuspecting individual. 
  • These apps load all of the iOS private frameworks into memory, allowing a quick and easy deployment of 0-day exploits or other risks and threats.
  • These apps, unbeknownst to the user, monitor precise user location resulting in potential privacy and security issues.

Of note, Apple is aware of our discovery and has addressed it. The Apple App Store is generally very well protected, and in those rare occasions where malware is identified, Apple always takes swift action.

Below are our current findings, IoCs and our overall analysis in more detail. But a word of caution: Many of these applications implement pornography players. Effort has been taken to provide readers “suitable for work” content, however, reader discretion is needed for some of the live application activity photos and videos. Another word of caution: there could very well be additional Jekyll and Hyde apps with intent much worse than a pornographic player.

Jekyll Application in the Apple App Store

The concept of Jekyll Applications is not new; it was thoroughly discussed in T. Wang’s article in 2013 that detailed a theoretical approach for bypassing the Apple application review process by uploading a Jekyll Application with multiple execution flows. 

This approach was theoretical. No live sample (excluding the authors own submission) utilizing this approach had been found in the wild, until now. Zimperium’s zLabs investigated multiple variants of iOS trojan applications, all submitted for review and approved by Apple, and that we were able to download from the iOS Application store. Obviously, live Jekyll app trojans in the App Store are clearly not myths…

Below is a partial list of the reported applications:

Each of these applications pretends to offer very naive functionality, simple UI functionality of a general UINavigation based application. Here is a small video of one of the applications showing what it was presenting during its Apple app review process.

However, when these applications were analyzed by our dynamic iOS engine, alarm bells began ringing.

Bypassing Apple App Review Process

These applications implement hardcoded date checking and IP checks which are validated by a backend server to verify that the applications are not currently under review from Apple. 

These applications use timestamp verifications, in order to trigger safe mode until the review period is complete:

The back-end server verifies the IP and will return deprecated capabilities if made from an IP address in Apple subnets:

In this case, the application functionality is different and “benign” in both UI and functionality:

In case the IP is not verified with Apple, the server will reply with “extended” capabilities:

Additional resources are downloaded from an external source if both the time is after Apple’s review time frame and the device is not communicating within an identified Apple IP segment.   

That will download the zip file into the picturesResources/pictures.zip:  

Once the download is complete, the following block will be executed, unzipping the file:

If the file is unzipped successfully, then the following block will be executed:

Now the applications are fully functional and are delivering new UI and functionality:

Trojan Behavior – silently collecting user Geo-Location

The application will then dynamically load the CoreLocation framework and initialize it:

Collecting personally identifiable data via users Accelerometer

Application will then dynamically load the CoreMotion framework and initialize it:

Trojan Behavior – Dynamic Loading of Frameworks and Symbols Using NSClassFromString (CoreTelephony)

Trojan Behavior – Apps Dynamically Load Massive Amounts (>400) of Private iOS Frameworks

Utilizing this technique, the apps load private frameworks such as: Apple Private Accounts Framework, Apple Private Biometric Framework, Apple Private Cellular Plan Manager Framework, and even MobileBackup Private Framework:

/System/Library/PrivateFrameworks/ANEServices.framework/ANEServices 0x1c5278000

/System/Library/PrivateFrameworks/APFS.framework/APFS 0x19e083000

/System/Library/PrivateFrameworks/ASEProcessing.framework/ASEProcessing 0x1c528b000

/System/Library/PrivateFrameworks/AXCoreUtilities.framework/AXCoreUtilities 0x1c5290000

/System/Library/PrivateFrameworks/AccountsDaemon.framework/AccountsDaemon 0x1a6387000

/System/Library/PrivateFrameworks/AddressBookLegacy.framework/AddressBookLegacy 0x1a528a000

/System/Library/PrivateFrameworks/AggregateDictionary.framework/AggregateDictionary 0x19d7ee000

/System/Library/PrivateFrameworks/AppSupport.framework/AppSupport 0x19d78e000

/System/Library/PrivateFrameworks/AppSupportUI.framework/AppSupportUI 0x1b507b000

/System/Library/PrivateFrameworks/AppleAccount.framework/AppleAccount 0x1a6445000

/System/Library/PrivateFrameworks/AppleCVA.framework/AppleCVA 0x1a95a7000

/System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression 0x1a2f9a000

/System/Library/PrivateFrameworks/AppleIDAuthSupport.framework/AppleIDAuthSupport 0x1a53b6000

/System/Library/PrivateFrameworks/AppleIDSSOAuthentication.framework/AppleIDSSOAuthentication 0x1a6422000

/System/Library/PrivateFrameworks/AppleJPEG.framework/AppleJPEG 0x19d0f1000

/System/Library/PrivateFrameworks/AppleMediaServices.framework/AppleMediaServices 0x1c5515000

/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/AppleNeuralEngine 0x1c5653000

/System/Library/PrivateFrameworks/ApplePushService.framework/ApplePushService 0x1a636d000

/System/Library/PrivateFrameworks/AppleSauce.framework/AppleSauce 0x19de91000

/System/Library/PrivateFrameworks/AssertionServices.framework/AssertionServices 0x19d76d000

/System/Library/PrivateFrameworks/AssetCacheServices.framework/AssetCacheServices 0x1a8244000

/System/Library/PrivateFrameworks/AssetsLibraryServices.framework/AssetsLibraryServices 0x1a88aa000

/System/Library/PrivateFrameworks/AuthKit.framework/AuthKit 0x1a53c2000

/System/Library/PrivateFrameworks/BackBoardServices.framework/BackBoardServices 0x19d8ce000

/System/Library/PrivateFrameworks/BaseBoard.framework/BaseBoard 0x19d6fa000

/System/Library/PrivateFrameworks/BiometricKit.framework/BiometricKit 0x1b8970000

/System/Library/PrivateFrameworks/BluetoothManager.framework/BluetoothManager 0x1a83fa000

/System/Library/PrivateFrameworks/Bom.framework/Bom 0x1a6973000

/System/Library/PrivateFrameworks/BulletinBoard.framework/BulletinBoard 0x1aad11000

/System/Library/PrivateFrameworks/C2.framework/C2 0x1c57ec000

/System/Library/PrivateFrameworks/CTCarrierSpace.framework/CTCarrierSpace 0x1b89d7000

/System/Library/PrivateFrameworks/CacheDelete.framework/CacheDelete 0x1a1107000

/System/Library/PrivateFrameworks/CaptiveNetwork.framework/CaptiveNetwork 0x1a6250000

/System/Library/PrivateFrameworks/Catalyst.framework/Catalyst 0x1b5b10000

/System/Library/PrivateFrameworks/Categories.framework/Categories 0x1c59b3000

/System/Library/PrivateFrameworks/Celestial.framework/Celestial 0x1a0ad8000

/System/Library/PrivateFrameworks/CellularPlanManager.framework/CellularPlanManager 0x1b60b8000

/System/Library/PrivateFrameworks/CertUI.framework/CertUI 0x1aadb9000

/System/Library/PrivateFrameworks/ChunkingLibrary.framework/ChunkingLibrary 0x1a6a6f000

/System/Library/PrivateFrameworks/CloudPhotoLibrary.framework/CloudPhotoLibrary 0x1a8640000

/System/Library/PrivateFrameworks/CloudPhotoServices.framework/CloudPhotoServices 0x1a8b67000

/System/Library/PrivateFrameworks/ColorSync.framework/ColorSync 0x19e1fb000

/System/Library/PrivateFrameworks/CommonAuth.framework/CommonAuth 0x1a62cf000

/System/Library/PrivateFrameworks/CommonUtilities.framework/CommonUtilities 0x19d9d1000

/System/Library/PrivateFrameworks/CommunicationsFilter.framework/CommunicationsFilter 0x1a69a4000

/System/Library/PrivateFrameworks/ConfigurationEngineModel.framework/ConfigurationEngineModel 0x1c59c6000

/System/Library/PrivateFrameworks/ConstantClasses.framework/ConstantClasses 0x1aadb3000

/System/Library/PrivateFrameworks/ContactsDonation.framework/ContactsDonation 0x1aa1a8000

/System/Library/PrivateFrameworks/ContactsFoundation.framework/ContactsFoundation 0x1a37bd000

/System/Library/PrivateFrameworks/ContactsUICore.framework/ContactsUICore 0x1aa2dc000

/System/Library/PrivateFrameworks/ContextKit.framework/ContextKit 0x1becb8000

/System/Library/PrivateFrameworks/CoreAUC.framework/CoreAUC 0x19f7b0000

/System/Library/PrivateFrameworks/CoreAppleCVA.framework/CoreAppleCVA 0x1a9513000

/System/Library/PrivateFrameworks/CoreBrightness.framework/CoreBrightness 0x19ed26000

/System/Library/PrivateFrameworks/CoreDuet.framework/CoreDuet 0x1a5a38000

/System/Library/PrivateFrameworks/CoreDuetContext.framework/CoreDuetContext 0x1a5c0a000

/System/Library/PrivateFrameworks/CoreDuetDaemonProtocol.framework/CoreDuetDaemonProtocol 0x1a5c2d000

/System/Library/PrivateFrameworks/CoreDuetDebugLogging.framework/CoreDuetDebugLogging 0x1a5a03000

/System/Library/PrivateFrameworks/CoreEmoji.framework/CoreEmoji 0x1a1165000

/System/Library/PrivateFrameworks/CoreFollowUp.framework/CoreFollowUp 0x1ace20000

/System/Library/PrivateFrameworks/CoreLocationProtobuf.framework/CoreLocationProtobuf 0x1a117a000

/System/Library/PrivateFrameworks/CoreMediaStream.framework/CoreMediaStream 0x1a893e000

/System/Library/PrivateFrameworks/CoreNLP.framework/CoreNLP 0x1a1f1e000

/System/Library/PrivateFrameworks/CoreOptimization.framework/CoreOptimization 0x1a9fe3000

/System/Library/PrivateFrameworks/CorePDF.framework/CorePDF 0x1aa4b2000

/System/Library/PrivateFrameworks/CoreParsec.framework/CoreParsec 0x1ad30b000

/System/Library/PrivateFrameworks/CorePhoneNumbers.framework/CorePhoneNumbers 0x19d785000

/System/Library/PrivateFrameworks/CorePrediction.framework/CorePrediction 0x1aa046000

/System/Library/PrivateFrameworks/CoreRecents.framework/CoreRecents 0x1a8b86000

/System/Library/PrivateFrameworks/CoreRecognition.framework/CoreRecognition 0x1acebf000

/System/Library/PrivateFrameworks/CoreServicesInternal.framework/CoreServicesInternal 0x1bef3a000

/System/Library/PrivateFrameworks/CoreSuggestions.framework/CoreSuggestions 0x1ace39000

/System/Library/PrivateFrameworks/CoreSymbolication.framework/CoreSymbolication 0x1a9115000

/System/Library/PrivateFrameworks/CoreTime.framework/CoreTime 0x1a950a000

/System/Library/PrivateFrameworks/CoreUI.framework/CoreUI 0x1a2ec7000

/System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils 0x1a64cb000

/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport 0x19d7d4000

/System/Library/PrivateFrameworks/DAAPKit.framework/DAAPKit 0x1aafc9000

/System/Library/PrivateFrameworks/DCIMServices.framework/DCIMServices 0x1a8914000

/System/Library/PrivateFrameworks/DataAccessExpress.framework/DataAccessExpress 0x1a5258000

/System/Library/PrivateFrameworks/DataDetectorsCore.framework/DataDetectorsCore 0x1a303d000

/System/Library/PrivateFrameworks/DataMigration.framework/DataMigration 0x19debb000

/System/Library/PrivateFrameworks/DeviceIdentity.framework/DeviceIdentity 0x1b8e7e000

/System/Library/PrivateFrameworks/DeviceManagement.framework/DeviceManagement 0x1b60df000

/System/Library/PrivateFrameworks/DiagnosticLogCollection.framework/DiagnosticLogCollection 0x1a5dfe000

/System/Library/PrivateFrameworks/DifferentialPrivacy.framework/DifferentialPrivacy 0x1a9566000

/System/Library/PrivateFrameworks/DiskImages.framework/DiskImages 0x19e150000

/System/Library/PrivateFrameworks/DocumentManager.framework/DocumentManager 0x1c5d92000

/System/Library/PrivateFrameworks/DocumentManagerCore.framework/DocumentManagerCore 0x1a5460000

/System/Library/PrivateFrameworks/EAP8021X.framework/EAP8021X 0x1a625c000

/System/Library/PrivateFrameworks/Engram.framework/Engram 0x1a611d000

/System/Library/PrivateFrameworks/Espresso.framework/Espresso 0x1a97f1000

/System/Library/PrivateFrameworks/FTAWD.framework/FTAWD 0x1a69a9000

/System/Library/PrivateFrameworks/FTServices.framework/FTServices 0x1a69ce000

/System/Library/PrivateFrameworks/FaceCore.framework/FaceCore 0x19ffd1000

/System/Library/PrivateFrameworks/FamilyCircle.framework/FamilyCircle 0x1b3327000

/System/Library/PrivateFrameworks/FontServices.framework/FontServices 0x19eba8000

/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib 0x19ea9c000

/System/Library/PrivateFrameworks/FontServices.framework/libGSFontCache.dylib 0x1bf5f0000

/System/Library/PrivateFrameworks/FontServices.framework/libTrueTypeScaler.dylib 0x1bf602000

/System/Library/PrivateFrameworks/FrontBoardServices.framework/FrontBoardServices 0x19d90b000

/System/Library/PrivateFrameworks/Futhark.framework/Futhark 0x1aa1c2000

/System/Library/PrivateFrameworks/GeoServices.framework/GeoServices 0x1a11d3000

/System/Library/PrivateFrameworks/GraphVisualizer.framework/GraphVisualizer 0x1a03ef000

/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices 0x19d0d9000

/System/Library/PrivateFrameworks/HangTracer.framework/HangTracer 0x1a5474000

/System/Library/PrivateFrameworks/Heimdal.framework/Heimdal 0x1a62d2000

/System/Library/PrivateFrameworks/HomeSharing.framework/HomeSharing 0x1ac0cc000

/System/Library/PrivateFrameworks/IDS.framework/IDS 0x1a6628000

/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSFoundation 0x1a6135000

/System/Library/PrivateFrameworks/IMFoundation.framework/IMFoundation 0x1a5c40000

/System/Library/PrivateFrameworks/IOAccelerator.framework/IOAccelerator 0x19d024000

/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer 0x19e1e6000

/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator 0x19d0ee000

/System/Library/PrivateFrameworks/IdleTimerServices.framework/IdleTimerServices 0x1c5f26000

/System/Library/PrivateFrameworks/ImageCapture.framework/ImageCapture 0x1adc76000

/System/Library/PrivateFrameworks/IncomingCallFilter.framework/IncomingCallFilter 0x1a92e8000

/System/Library/PrivateFrameworks/IntentsFoundation.framework/IntentsFoundation 0x1a56f4000

/System/Library/PrivateFrameworks/InternationalSupport.framework/InternationalSupport 0x1c1187000

/System/Library/PrivateFrameworks/InternationalTextSearch.framework/InternationalTextSearch 0x1ac799000

/System/Library/PrivateFrameworks/IntlPreferences.framework/IntlPreferences 0x19ed0b000

/System/Library/PrivateFrameworks/LanguageModeling.framework/LanguageModeling 0x1a1c5d000

/System/Library/PrivateFrameworks/Lexicon.framework/Lexicon 0x1a1c0a000

/System/Library/PrivateFrameworks/LinguisticData.framework/LinguisticData 0x1ae8f5000

/System/Library/PrivateFrameworks/LoggingSupport.framework/LoggingSupport 0x1b2f73000

/System/Library/PrivateFrameworks/MMCS.framework/MMCS 0x1a8321000

/System/Library/PrivateFrameworks/ManagedConfiguration.framework/ManagedConfiguration 0x19df14000

/System/Library/PrivateFrameworks/Marco.framework/Marco 0x1a5e00000

/System/Library/PrivateFrameworks/MediaKit.framework/MediaKit 0x19e0fb000

/System/Library/PrivateFrameworks/MediaLibraryCore.framework/MediaLibraryCore 0x1ab0d2000

/System/Library/PrivateFrameworks/MediaPlatform.framework/MediaPlatform 0x1aaebf000

/System/Library/PrivateFrameworks/MediaRemote.framework/MediaRemote 0x1a6765000

/System/Library/PrivateFrameworks/MediaServices.framework/MediaServices 0x1a673e000

/System/Library/PrivateFrameworks/MediaStream.framework/MediaStream 0x1a8b92000

/System/Library/PrivateFrameworks/MessageProtection.framework/MessageProtection 0x1a5e02000

/System/Library/PrivateFrameworks/MetadataUtilities.framework/MetadataUtilities 0x1c5fa5000

/System/Library/PrivateFrameworks/MobileActivation.framework/MobileActivation 0x1b178c000

/System/Library/PrivateFrameworks/MobileAsset.framework/MobileAsset 0x1a1bef000

/System/Library/PrivateFrameworks/MobileBackup.framework/MobileBackup 0x1b0513000

/System/Library/PrivateFrameworks/MobileBluetooth.framework/MobileBluetooth 0x1a6962000

/System/Library/PrivateFrameworks/MobileDeviceLink.framework/MobileDeviceLink 0x1b0414000

/System/Library/PrivateFrameworks/MobileIcons.framework/MobileIcons 0x1a2f8c000

/System/Library/PrivateFrameworks/MobileInstallation.framework/MobileInstallation 0x1ac768000

/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag 0x19d89d000

/System/Library/PrivateFrameworks/MobileSpotlightIndex.framework/MobileSpotlightIndex 0x1a1f8c000

/System/Library/PrivateFrameworks/MobileStorage.framework/MobileStorage 0x1adc28000

/System/Library/PrivateFrameworks/MobileSystemServices.framework/MobileSystemServices 0x1a9b66000

/System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi 0x1a628e000

/System/Library/PrivateFrameworks/Montreal.framework/Montreal 0x1a9753000

/System/Library/PrivateFrameworks/MusicLibrary.framework/MusicLibrary 0x1ab3e7000

/System/Library/PrivateFrameworks/NLP.framework/NLP 0x1a310f000

/System/Library/PrivateFrameworks/NanoRegistry.framework/NanoRegistry 0x1aa1ef000

/System/Library/PrivateFrameworks/Navigation.framework/Navigation 0x1aa0a1000

/System/Library/PrivateFrameworks/Netrb.framework/Netrb 0x19dec5000

/System/Library/PrivateFrameworks/NetworkServiceProxy.framework/NetworkServiceProxy 0x1a8264000

/System/Library/PrivateFrameworks/NetworkStatistics.framework/NetworkStatistics 0x19f6db000

/System/Library/PrivateFrameworks/OAuth.framework/OAuth 0x1a62cc000

/System/Library/PrivateFrameworks/OTSVG.framework/OTSVG 0x1c6555000

/System/Library/PrivateFrameworks/ParsecSubscriptionServiceSupport.framework/ParsecSubscriptionServiceSupport 0x1ad863000

/System/Library/PrivateFrameworks/Pasteboard.framework/Pasteboard 0x1b0377000

/System/Library/PrivateFrameworks/PersistentConnection.framework/PersistentConnection 0x19decd000

/System/Library/PrivateFrameworks/PersonaKit.framework/PersonaKit 0x1a84ae000

/System/Library/PrivateFrameworks/PersonaUI.framework/PersonaUI 0x1c255b000

/System/Library/PrivateFrameworks/PhoneNumbers.framework/PhoneNumbers 0x1a1e41000

/System/Library/PrivateFrameworks/PhotoFoundation.framework/PhotoFoundation 0x1c66a4000

/System/Library/PrivateFrameworks/PhotoLibraryServices.framework/PhotoLibraryServices 0x1a8bb1000

/System/Library/PrivateFrameworks/PhotosFormats.framework/PhotosFormats 0x1a8516000

/System/Library/PrivateFrameworks/PhotosImagingFoundation.framework/PhotosImagingFoundation 0x1c6757000

/System/Library/PrivateFrameworks/PhysicsKit.framework/PhysicsKit 0x1a5483000

/System/Library/PrivateFrameworks/PlugInKit.framework/PlugInKit 0x1a0ab4000

/System/Library/PrivateFrameworks/PowerLog.framework/PowerLog 0x19d9bd000

/System/Library/PrivateFrameworks/Preferences.framework/Preferences 0x1a93b3000

/System/Library/PrivateFrameworks/ProactiveEventTracker.framework/ProactiveEventTracker 0x1a6a63000

/System/Library/PrivateFrameworks/ProactiveSupport.framework/ProactiveSupport 0x1ac7f8000

/System/Library/PrivateFrameworks/ProofReader.framework/ProofReader 0x1a3227000

/System/Library/PrivateFrameworks/ProtectedCloudStorage.framework/ProtectedCloudStorage 0x1a5325000

/System/Library/PrivateFrameworks/ProtocolBuffer.framework/ProtocolBuffer 0x19d87d000

/System/Library/PrivateFrameworks/PrototypeTools.framework/PrototypeTools 0x1a90f8000

/System/Library/PrivateFrameworks/Quagga.framework/Quagga 0x1a0d64000

/System/Library/PrivateFrameworks/ROCKit.framework/ROCKit 0x1c67f0000

/System/Library/PrivateFrameworks/RTCReporting.framework/RTCReporting 0x19ed1b000

/System/Library/PrivateFrameworks/Rapport.framework/Rapport 0x1bafad000

/System/Library/PrivateFrameworks/RemoteManagement.framework/RemoteManagement 0x1c6a09000

/System/Library/PrivateFrameworks/RemoteTextInput.framework/RemoteTextInput 0x1c6a66000

/System/Library/PrivateFrameworks/SafariCore.framework/SafariCore 0x1a9fe8000

/System/Library/PrivateFrameworks/SafariFoundation.framework/SafariFoundation 0x1ad64e000

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/SafariSafeBrowsing 0x1b055d000

/System/Library/PrivateFrameworks/SafariShared.framework/SafariShared 0x1ad910000

/System/Library/PrivateFrameworks/SampleAnalysis.framework/SampleAnalysis 0x1c6aa1000

/System/Library/PrivateFrameworks/SearchFoundation.framework/SearchFoundation 0x1a919f000

/System/Library/PrivateFrameworks/SetupAssistant.framework/SetupAssistant 0x1adbb0000

/System/Library/PrivateFrameworks/SetupAssistantSupport.framework/SetupAssistantSupport 0x1adba2000

/System/Library/PrivateFrameworks/SharedWebCredentials.framework/SharedWebCredentials 0x1ad649000

/System/Library/PrivateFrameworks/Sharing.framework/Sharing 0x1b18cc000

/System/Library/PrivateFrameworks/SignpostCollection.framework/SignpostCollection 0x1c29a3000

/System/Library/PrivateFrameworks/SignpostNotification.framework/SignpostNotification 0x1c6c1f000

/System/Library/PrivateFrameworks/SignpostSupport.framework/SignpostSupport 0x1bb026000

/System/Library/PrivateFrameworks/SiriTTS.framework/SiriTTS 0x1a7bf0000

/System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices 0x19d975000

/System/Library/PrivateFrameworks/StatsKit.framework/StatsKit 0x1c6c8e000

/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices 0x1a5e0a000

/System/Library/PrivateFrameworks/StreamingZip.framework/StreamingZip 0x1a1128000

/System/Library/PrivateFrameworks/StudyLog.framework/StudyLog 0x1a54d8000

/System/Library/PrivateFrameworks/SymptomDiagnosticReporter.framework/SymptomDiagnosticReporter 0x1a11ca000

/System/Library/PrivateFrameworks/TCC.framework/TCC 0x19dd38000

/System/Library/PrivateFrameworks/TelephonyUtilities.framework/TelephonyUtilities 0x1ac86a000

/System/Library/PrivateFrameworks/TextInput.framework/TextInput 0x1a2faa000

/System/Library/PrivateFrameworks/TextureIO.framework/TextureIO 0x1a2e1d000

/System/Library/PrivateFrameworks/ToneLibrary.framework/ToneLibrary 0x1aa268000

/System/Library/PrivateFrameworks/UIFoundation.framework/UIFoundation 0x1a54dd000

/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore 0x1c77c6000

/System/Library/PrivateFrameworks/UIKitServices.framework/UIKitServices 0x1c88fc000

/System/Library/PrivateFrameworks/URLFormatting.framework/URLFormatting 0x1c8908000

/System/Library/PrivateFrameworks/UsageTracking.framework/UsageTracking 0x1c8910000

/System/Library/PrivateFrameworks/UserFS.framework/UserFS 0x19e45e000

/System/Library/PrivateFrameworks/UserManagement.framework/UserManagement 0x1a6946000

/System/Library/PrivateFrameworks/VectorKit.framework/VectorKit 0x1ab67f000

/System/Library/PrivateFrameworks/VoiceServices.framework/VoiceServices 0x1a80af000

/System/Library/PrivateFrameworks/WebBookmarks.framework/WebBookmarks 0x1aaf5e000

/System/Library/PrivateFrameworks/WebCore.framework/Frameworks/libwebrtc.dylib 0x1a3316000

/System/Library/PrivateFrameworks/WebCore.framework/WebCore 0x1a382a000

/System/Library/PrivateFrameworks/WebKitLegacy.framework/WebKitLegacy 0x1a50cc000

/System/Library/PrivateFrameworks/WebUI.framework/WebUI 0x1adb5e000

/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/WirelessDiagnostics 0x19e990000

/System/Library/PrivateFrameworks/XCTTargetBootstrap.framework/XCTTargetBootstrap 0x1c3561000

/System/Library/PrivateFrameworks/XPCKit.framework/XPCKit 0x1a8a7a000

/System/Library/PrivateFrameworks/iTunesCloud.framework/iTunesCloud 0x1abf28000

/System/Library/PrivateFrameworks/iTunesStore.framework/iTunesStore 0x1a92ef000

/System/Library/PrivateFrameworks/kperf.framework/kperf 0x1b5e59000

/System/Library/PrivateFrameworks/kperfdata.framework/kperfdata 0x1b62c6000

/System/Library/PrivateFrameworks/ktrace.framework/ktrace 0x1b66e9000

/System/Library/PrivateFrameworks/libEDR.framework/libEDR 0x1c35a7000

/System/Library/PrivateFrameworks/vCard.framework/vCard 0x1a5cac000

/usr/lib/libAWDSupportFramework.dylib 0x19e679000

Contact Us

We continue to investigate these and other applications and will provide updates as we have them. But to reiterate, customers using Zimperium’s solutions were and are protected from the attacks described in this blog and others using similar techniques. To learn more, please contact us

Get started with Zimperium today