1. Home
    2. »
  2. Blog
    3. »
  3. Other
    4. » Achieving Persistence for Harmful Code on Specific Devices

Achieving Persistence for Harmful Code on Specific Devices

- Posted in Other by - Permalink
Achieving Persistence for Harmful Code on Specific Devices

Background: Some modern devices hold significant importance to attackers in the current threat landscape, especially mobile devices. The techniques used vary depending on the operating system platform, particularly from the standpoint of execution. However, execution alone is not sufficient. As we know, after a malware is executed, it must establish persistence—mechanisms that ensure it continues to operate even after a power disruption or device reboot.

But before deep dive into this problem let's explore in an example of IOS: If we want to overview IOS systems, they can be compared to a ship carrying many containers, where each container represents a separate application. Each application is wrapped in a sandbox, and if a process attempts to escape from it, it won’t be able to. enter image description here

IOS filesystem protection: IOS systems contain protected directories that form the core of the operating system's functionality. These directories are safeguarded by various security mechanisms, such as sandboxing, code signing, and a read-only system partition. However, the filesystem escape process these protections, enabling unauthorized code to access the file system, modify files, and even make changes within protected directories at any time.

How Harmful Code Can Function on a System: Considering the existing file system protection measures, we can explore possible ways in which harmful code could operate to achieve persistence. Currently, two methods appear viable. First, harmful code could leverage the filesystem escape process, which would allow it to write its payload into protected areas of the file system, ensuring permanent persistence within the system. Second, the code could bypass application memory and write itself into the device's volatile memory. However, the challenge with this approach lies in the fact that volatile memory is designed to lose its contents after power disruption, causing the malware's persistence to disappear.

Conclusion: Fighting against threats is a significant challenge for the current cybersecurity industry. Due to the specific design of some operating systems, it is quite difficult for antivirus vendors to implement a universal solution, as they have done for PCs and similar devices. Works over this area should be continue .

Tags:

Related posts

« »