Su-A-Cyder can be described as a recipe that takes one part malicious code (choose your flavor), one part legitimate app (choose your victim), one part Apple ID (anonymous), and mix together to create a new evil client app that easily installs on a non-jailbroken device.
— Chilik Tamir, Chief Architect, Research and Development for Mi3 Security






Su-A-Cyder is not malware and it is not a vulnerability; it’s a threat vector! It is a compilation of open source technologies (e.g. Theos and Fastlane) scripted together to take advantage of Apple’s home brewed certification application program to demonstrate that anonymous evil app creation is not a myth anymore.

With Apple’s policy change to allow the installation of local home brewed apps onto a non-jailbroken device using just an Apple ID, Su-A-Cyder can easily install an evil application on a non-jailbroken device.  The malicious application masquerades as a legitimate existing app and is undetectable by users, EMM or other Security Software.  Any legitimate application can be resigned with an anonymous Apple ID account and side loaded to a device, meaning any app on the device can be replaced with a modified version that appears to be the original.

Demonstrated by Mi3 Security Chief Scientist at Black Hat Asia, 2016, Su-A-Cyder examples include taking control of a Good MDM agent, injecting an evil Skype app, and gaining full control of a corporate video chat Jabber app. In each of these examples a backdoor was installed for the POC. This threat vector allowed for complete access to all the data within the app including PII. If the app had access to healthcare records, corporate credentials, CC or other PII data, then the backdoor would have the same access. Moreover, if the app was granted with LAN, DMZ, VPN access then the evil app could exploit and abuse this access.

Every time Apple identifies abused certificate it revokes them. That is part of the security mechanism implemented since iOS 9.0. However, home brewed evil apps can always regenerate a new anonymous signing certificate and then repackage the original evil code and install a unique repackaged flavor of the original app. This threat vector creates significant challenges for corporations with BYOD and employee shared devices.  The risk of an insider threat and APTs buried inside of otherwise legitimate apps are a very real possibility.  EMM software does not have the capability to differentiate a legitimate iOS app from a hijacked one nor do they have security controls in their arsenal to detect or remediate this problem on their own.

Mi3 RECON has the detection capabilities to identify malicious client repackaged apps, and can be used for both Brand Protection as well as with an EMM Integration.


If you'd like to further explore SU-A-CYDER the source code is available on GitHub.