# Grab your own copy of Phenakite iOS malware today **[malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html](https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html)** [Facebook has recently published a technical paper regarding a threat actor named APT-C-](https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf) 23. Almost half of their report is about a new iOS malware that is in use by the threat actor. Facebook called this malware Phenakite and provided 2 hashes of malware samples, however, those samples are not publicly available (yet). Since I am Android type of person, naturally the Android malware interested me more than the iOS malware. After playing a little with the Android malware, I decided to see what I can learn about the iOS malware, but how? I don't have any sample and I am quite clueless with Apple devices at every possible level. Well: [We don’t need bombs we got fire kites](https://www.youtube.com/watch?v=JE0qowVv21c) Fortunately, the distribution site of the malware was still alive: ----- Well, not much to do other than download the app, well the link is not directly the app apparently: The file is binary, but also contains strings that might be interesting. There are several tools that parse mobileconfig files, a curious reader might try to parse the file for additional ----- information, as this probably should trigger the download of the app after the policy is accepted. But now what? Feeling stuck? no worries I felt the same as well. Since I don't have iOS device to try it out, I decided to inspect the code of the website: Oh look at that, commented code, that must be good :P ----- WhoOpSec! There was also a reference to a file named app.plist lets try to grab it, shall we? ----- Ok, this is plain text and simple, the software package is app.ipa, lets grab that as well: Ah, close, but no cigar, this hash doesn't match the two samples in Facebook report. [Could it be a new sample? doubt it, look at the date. So what is this file? ipa obviously! Not to](https://en.wikipedia.org/wiki/.ipa) [be confused with IPA.](https://2.bp.blogspot.com/-Ly8xF88rGtw/U-EknrMRncI/AAAAAAAAApI/ezoKzSVCB-4/s1600/Malka+ipa.JPG) Essentially it is a Zip file, so lets unzip that payload: ----- I moved all the images to a folder to keep only the potentially interesting files from the archive, namely "app" stands out, what is it? And that, kids, how I met your malware, e567efd5c800c5b0c6eb5aa0bccc10e9, I met her on Facebook, report. Congratulations, this is the first time the blog actually does what it stands for, sharing malware for everyone with a hint of analysis. (if you are reading this too late and the distribution site of the malware is down, no worries, it is also available at VirusTotal as a ----- [standalone and as an archive)](https://www.virustotal.com/gui/file/e1494164865acb719c1e32c86adf810ce52fcc48c46e777b9f98a99648de62c2/details) Now you can enjoy your own copy of Phenakite and start reversing the Mach-O if you know how to :) **Bonus lol's:** The terms of service of the malware is.... [Lorem Ipsum :](https://en.wikipedia.org/wiki/Lorem_ipsum) The privacy is seem to be borrowed from "relatedcode.com" which has an open source chat for iOS [repository, this is most likely the chat app that Facebook was referring to:](https://github.com/relatedcode/Messenger) All your base is on fire: More interesting strings: ----- phenakite.zip MD5: 54e5e93c00c963cb66fd2d248c4c6ce7 SHA-1: 05527dddb79329d844f1954e3d36601926410bca SHA-256: c2d66369c974558adbcd801b409492b73ad1cb5f9f412ef3a8820f1cae526903 app MD5: e567efd5c800c5b0c6eb5aa0bccc10e9 SHA-1: da99195ff43093fb8237201e2ce412a925580a53 SHA-256: e1494164865acb719c1e32c86adf810ce52fcc48c46e777b9f98a99648de62c2 -----