Poisoned Apples: Current State of iOS Malware Detection


April 20, 2023




Track 1


This talk is an overview about recent iOS 0-1 Click Malware and focuses on the current technical capabilities that we have when it comes to detecting malware on iOS.

I will start again with the analysis of the four main samples of iOS Malware that are known to the public as of today (Pegasus I/II, Hermit, and the Google findings in 2019). We will cover how the researchers have made the detection and what we can learn from that for future analysis. Having looked at some malware samples it is time to look at our technical detection capabilities. These are split in three groups:

On device / Fully Automated

This is everything that can be done from a sandboxed app directly on the device. A typical example is jailbreak detection. I will shed some light on how current jailbreak detection works and how we can use that for detection of advanced malware.

Companion / MDM / Half Automated

In this category we will have a look at what data is available trough MDM access and how we can use that data to detect and event prevent from some kind of Malware.

Third: Forensic / Manual

This category is probably the most interesting one. As it is relying on data that is available trough Apple’s Backup / macOS Synchronisation capabilities it is not well documented but still provides access to many interesting things such as CrashLogs or Backup Data. Even though there are some companies available that allow forensic analysis and extraction like Cellebrite, Magnet, Elcomsoft etc, none of them focus on the detection of IOCs which might have left behind by malware. The first and also opensource tool that was made available is the MVT tool by Amnesty International. I’d like to show which data can be manually extracted from a device and how we can use that for the detection of malware. As this topic is not commonly covered in iOS security or forensics training I will also take more time to explain how to use the tools involved and some best practices on extracting the data.

After having talked about detection capabilities and the analysis of current samples of malware, we bring both topics together and show the constraints that we currently have:

  • What can we detect automatically?
  • What can we detect manually?
  • At which scale can we detect things manually?
  • What are signs of compromise?

At last I will once again share some ideas and concept of things that could be done to improve the detection of malware on iOS. This will be grouped around the following questions:

  • How can we increase the data that we can collect from iOS devices?
  • How can we improve the data collection process?
  • How can we implement detection at scale?


iOS Researcher

Trail of Bits Inc.

Other Talks in This Track