Mobile Threat Catalogue

Bypassing Code Signing Mechanisms

Contribute

Threat Category: Mobile Operating System

ID: STA-5

Threat Description: Code signing protects the software from being modified by anyone other than the author. If malicious actors have gained access to valid certificates they can use them later with their malicious code to appear to be signed by trusted author, and therefore trusted by the user.1

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

iOS 8.4.1 Kernel Vulnerabilities in AppleHDQGasGaugeControl 2

CVE Examples

Possible Countermeasures

Enterprise

Use EMM/MDM solutions in combination with devices that successfully enforce a policy to maintain a minimum OS patch level and block access to enterprise resources to non-compliant devices.

Purchase devices from vendors/carriers who have committed to providing timely updates or who have known track records for prompt updates.

Use EMM/MDM solutions in combination with other tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that show indications of device compromise.

References

  1. Trend Micro, Understanding Code Signing Abuse in Malware Campaigns, blog, 5 Apr. 2018; https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-code-signing-abuse-in-malware-campaigns [accessed 12/02/2019] 

  2. windknown, “iOS 8.4.1 Kernel Vulnerabilities in AppleHDQGasGaugeControl,” Pangu, 08 Sept. 2015; http://blog.pangu.io/ios-8-4-1-kernel-vulns/