BackStab: Mobile Backup Data Under Attack from Malware

Today we are releasing a whitepaper describing how malicious actors are stealing private mobile device data by accessing local backup files stored on PC and Mac computers. We have identified 704 samples of six Trojan, adware and HackTool families for Windows® or Mac® OS X® systems that used this technique to steal data from iOS and BlackBerry® devices. These attacks have been in the wild for over five years, and we have observed them deployed in over 30 countries around the world.

Since these families use a common attack technique to access the backup files, we categorize all of them as using the “BackStab attack,” defined as “an attack approach that captures private mobile device data through the theft of local backup files stored on PC and Mac computers.”

The BackStab attack technique poses a risk to many mobile users for the following reasons:

  • The technique itself has been known to the security and forensic communities for over seven years. There are many publicly available articles and video tutorials describing how to conduct the attack using tools and/or open source projects available to the public.
  • Almost all private data stored in mobile devices can be stolen using this attack.
  • The attack doesn’t require the mobile device to be jailbroken or rooted.
  • The attack requires malware or adware running on PC or Mac, but doesn’t require the malware or adware to have any special privileges, such as root or administrator.
  • The attack requires at least one backup file to exist on the PC or Mac. In 
some situations, official backup software, like that of Apple iTunes, will automatically create backups of mobile devices without the user’s interaction and without encryption. It is also possible for malware to initiate a backup when the device is attached to an infected computer in some cases.
  • The attack is not theoretical and is occurring in the wild, as we have observed 704 malware samples in six Trojan, adware and HackTool families using it. Two of these families adopted the technique at least five years ago.
  • iOS and BlackBerry have been affected by real world attacks.

How BackStab Works

Under certain conditions, mobile devices automatically create un-encrypted backup files on a local computer when they are attached through a USB port. Apple iOS devices began doing this when iTunes backup was introduced with the first generation iPhone in 2007. When users choose the default backup options, the contents of their phone is stored, unencrypted on their computers local hard drive in a well-known location. Forensics experts have known about this behavior for years and have exploited it to gain access to iOS device content even when they cannot directly access an iPhone due to it’s strong protections.

Mitigate the BackStab Attack

As a successful BackStab attack allows a miscreant to steal almost all private data from a mobile device, we suggest users take the following actions (iOS is used as the example here):

  • Check all existing iTunes backups. If there are any unencrypted and unnecessary backups, delete them.
  • When using iTunes backup, always enable encryption with a strong, unique password.
  • When using iCloud backup, set a strong, unique password for the iCloud account, and enable two-step verification.
  • Upgrade the iOS system to newest version (i.e., iOS 9.1).
  • Don’t jailbreak your iOS device.
  • Before entering your Apple account and password in a web browser, carefully check the current website’s domain name and SSL certificate to ensure you’re visiting Apple’s official website.
  • When connecting the iOS device to an untrusted computer or charger via a USB cable, don’t click the “Trust” button in the dialog box that displays.
  • Use an antivirus product or service on your computer or in your network. This will be helpful to find and prevent some known malware families, such as DarkComet.

Palo Alto Networks has adopted these steps to protect our customers from the BackStab attack:

  • WildFire™ has added a new feature to detect possible BackStab attack behavior.
  • WildFire properly classifies all six families mentioned in this report as malware. When those samples are transferred through a network protected by our products, they will be blocked.
  • A public tag has been added to our AutoFocus service to identify potential BackStab attack behavior.
  • AutoFocus also has tags that identify the DarkComet RAT, although not all variants of this malware use BackStab.
  • Endpoints using Traps are protected from this threat through their connection to WildFire.

For complete details on this threat, please download the “BackStab: Mobile Backup Data Under Attack from Malware” whitepaper.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS