{
	"id": "9079c9f5-c23a-4c43-8a25-3af94e197b59",
	"created_at": "2026-04-06T00:18:50.509179Z",
	"updated_at": "2026-04-10T03:23:51.181784Z",
	"deleted_at": null,
	"sha1_hash": "f8d08791de5b7e2116c922546ce899f731543900",
	"title": "Analysis of iOS.GuiInject Adware Library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 980383,
	"plain_text": "Analysis of iOS.GuiInject Adware Library\r\nBy Arnaud Abbati\r\nPublished: 2016-11-08 · Archived: 2026-04-05 21:51:58 UTC\r\nThere ain’t no such thing as a free $2 cracked software, especially if one went all-in buying that latest top-notch\r\niOS device!\r\nOur crackers friends know, and if one takes the bet to use an out-of-date insecure jailbroken iOS version to install\r\ncracked software, he or she is likely to be abused by the ads injector we describe in this post.\r\nAdware masquerading already targeted Android or iOS. These cracks use poor security practices that could lead to\r\nspyware masquerading.\r\niOS Application File\r\nRecently, an iOS App file got our attention on VirusTotal:\r\n$ openssl dgst -sha256 com.mailtime.MailTimePro-clutch2.ipa\r\nSHA256(com.mailtime.MailTimePro-clutch2.ipa)= 332cf0a45170d6787dcbefb086f5a5f0f6e920d485e377fe37e900a\r\nThe filename reveals we are probably dealing with a cracked software, using Clutch, an iOS cracking toolbox.\r\nLet’s decompress the iOS App file (it is a Zip archive):\r\n$ ditto -xk com.mailtime.MailTimePro-clutch2.ipa com.mailtime.MailTimePro-clutch2\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 1 of 9\n\n$ cd \"com.mailtime.MailTimePro-clutch2/Payload/MailTime Pro.app/\"\r\n$ find . -type f -exec file {} \\; | grep \"Mach-O\"\r\n(...)\r\n./jailbreak: Mach-O universal binary with 2 architectures\r\n./jailbreak (for architecture armv7): Mach-O dynamically linked shared library arm\r\n./jailbreak (for architecture arm64): Mach-O 64-bit dynamically linked shared library\r\n./MailTime Pro: Mach-O universal binary with 2 architectures\r\n./MailTime Pro (for architecture armv7): Mach-O executable arm\r\n./MailTime Pro (for architecture arm64): Mach-O 64-bit executable\r\nThat jailbreak shared library looks suspicious.\r\n$ codesign -dvv \"MailTime Pro\" 2\u003e\u00261 | grep Authority\r\nAuthority=iPhone Developer: nguyen tat hung (T99T9WYY54)\r\nAuthority=Apple Worldwide Developer Relations Certification Authority\r\nAuthority=Apple Root CA\r\n$ codesign -dvv jailbreak 2\u003e\u00261 | grep Authority\r\nAuthority=iPhone Developer: nguyen tat hung (T99T9WYY54)\r\nAuthority=Apple Worldwide Developer Relations Certification Authority\r\nAuthority=Apple Root CA\r\nWhile nguyen tat hung is a known developer identifier, he is not the expected MailTime developer.\r\nGoing further, we find jailbreak dynamic library is added to the original binary imports:\r\n$ otool -arch arm64 -L \"MailTime Pro\"\r\n(...)\r\n @executable_path/jailbreak (compatibility version 0.0.0, current version 0.0.0)\r\nMost libraries contain their installation prefix and real name in their imports:\r\n$ otool -arch arm64 -L jailbreak\r\njailbreak:\r\n  /usr/local/lib/libguiinject.dylib (compatibility version 1.0.0, current version 1.0.0)\r\n(...)\r\nAnd thanks to assert() macros, project-related information are leaking:\r\n$ strings -arch arm64 jailbreak | grep -i guiinject\r\n/Users/gtt/Documents/workspaceIOS/guiinject/guiinject/MBProgressHUD.m\r\n/Users/gtt/Documents/workspaceIOS/guiinject/guiinject/SSZipArchive.m\r\nguiinject\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 2 of 9\n\nInjected Library\r\nBrowsing the symbols, we quickly isolate well-known SDKs and Cocoa Pods:\r\nAdvertisement SDKs\r\nCarrot\r\nFacebook Audience Network\r\nGoogle AdMob\r\nStartApp\r\nCocoa Pods\r\nFileMD5Hash\r\nMBProgressHUD\r\nSSZipArchive\r\nSo many ads stuff for a jailbreak is unusual. Here you have the remaining classes headers.\r\nWe run most of the cracked apps on a jailbroken device without problems.\r\n-[Config getConfig] loads wrap.json from the host program resources:\r\n{\r\n \"udid\": \"jailbreak\",\r\n \"wait_loop\": \"3\",\r\n \"is_jb\": \"1\",\r\n \"package_name\": \"com.mailtime.MailTimePro\"\r\n}\r\nAfter several wait_loop launch, the injected code will contact an insecure remote host. Half of the services seem\r\nto work.\r\nFor example, the coreapi service seems down:\r\nhttp://wrapper.laughworld.net/coreapi/active_device.php?\r\npk=IPANAME\u0026is_jb=1\u0026udid=REDACTED\u0026signature=MD5 :\r\n{\r\n \"return\": -2,\r\n \"message\": \"DB operator fail!\"\r\n}\r\nhttp://wrapper.laughworld.net/coreapi/get_list_message.php?\r\npk=IPANAME\u0026is_jb=1\u0026udid=REDACTED\u0026libver=20160818\u0026app_pk=IPANAME_AGAIN\u0026app_ver=1.2.3\u0026signature=MD5 :\r\n{\r\n \"return\": 0,\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 3 of 9\n\n\"messages\": []\r\n}\r\nWhile the api service is up:\r\nhttp://wrapper.laughworld.net/api/com.mailtime.MailTimePro_ads.json :\r\n{\r\n \"advertising_list\": [\r\n {\r\n \"id\": 1,\r\n \"act_type\": \"0\",\r\n \"b\": \"\u003cbody\u003e\u003ciframe style='border:none;padding-left:0px;padding-top:0px;' src='http://bypassfi\r\n \"dp_type\": \"1\",\r\n \"url\": \"http://bypassfirewall.net\",\r\n \"hide\": 1,\r\n \"random_show\": \"5\",\r\n \"adsnet_name\": \"admob\",\r\n \"adsnet_id\": \"ca-app-pub-3816529472258726/8039356495\"\r\n }\r\n ]\r\n}\r\nMost interesting part is the update request:\r\n-[API getUpdate:withSelector:]  connects\r\nto  http://wrapper.laughworld.net/api/com.mailtime.MailTimePro_update.json :\r\n{\r\n \"show_ads\": \"YES\",\r\n \"show_message\": \"YES\",\r\n \"update_message_not\": \"\",\r\n \"update_link\": \"http://google.com\",\r\n \"linkfw\": \"http://wrapper.laughworld.net/lib/DailyUploadDownloadLib.framework.zip\",\r\n \"namefw\": \"DailyUploadDownloadLib.framework\",\r\n \"md5fw\": \"f6a51b479516f11ce503ae06f9ffff0f\",\r\n \"script_zip\": \"http://wrapper.laughworld.net/lib/filehost.scr.zip\",\r\n \"script_file\": \"filehost.scr\",\r\n \"md5_script\": \"a9ef52dc75ecbcfce9447237f5154417\"\r\n}\r\nscript_zip , script_file and md5_script are not implemented. The script_zip URL points to a password\r\nencrypted Zip file, and the md5_script value is not valid (last bytes are wrong).\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 4 of 9\n\nlinkfw points to a valid Zip archive. Once downloaded and decompressed, -[guiinject\r\n_loadPluginAtLocation:]  will load  the framework and send a run message to its principalClass . md5fw\r\nvalue is used for self-update.\r\nAds are downloaded, but so far, we don’t see any of them. They are probably rendered in a hidden view.\r\nDownloaded Framework\r\n$ openssl dgst -sha256 DailyUploadDownloadLib\r\nSHA256(DailyUploadDownloadLib)= 00ca48ebeda3d93ccf1b8b405fcf4c2062424bbc99425e27f0b65c7ee238780e\r\n$ file DailyUploadDownloadLib\r\nDailyUploadDownloadLib: Mach-O universal binary with 2 architectures\r\nDailyUploadDownloadLib (for architecture armv7): Mach-O dynamically linked shared library arm\r\nDailyUploadDownloadLib (for architecture arm64): Mach-O 64-bit dynamically linked shared library\r\nThe developer identifier is different:\r\n$ codesign -dvv DailyUploadDownloadLib 2\u003e\u00261 | grep Authority\r\nAuthority=iPhone Developer: Pham Hiep (8DYXPR6ZBP)\r\nAuthority=Apple Worldwide Developer Relations Certification Authority\r\nAuthority=Apple Root CA\r\nThe User and Organization names are in the framework header:\r\n$ cat Headers/DailyUploadDownloadLib.h\r\n(...)\r\nThis file was automatically generated by Xcode. According to ITviec jobs website, GTT Media and T\u0026B are\r\noutsourcing companies.\r\nOnce loaded, the framework ask a lib service for two lists of files, on DailyUploads and FileFactory file-hosting sites.\r\nhttp://wrapper.laughworld.net/lib/DailyUploadDownloadModule.conf :\r\n{\r\n \"list\": [\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 5 of 9\n\n\"https://dailyuploads.net/hdo3rn24n5tg\",\r\n \"https://dailyuploads.net/udzjx12rvu0z\",\r\n \"https://dailyuploads.net/8buwsi2hk9x7\",\r\n \"https://dailyuploads.net/vgnqrv66hp4l\",\r\n \"https://dailyuploads.net/mla2ofh3c0z8\",\r\n \"https://dailyuploads.net/ud2hlgpw9dto\",\r\n \"https://dailyuploads.net/030p4rn9ll6a\",\r\n \"https://dailyuploads.net/rsjbhbc6zi0b\",\r\n \"https://dailyuploads.net/wzrqhpqa7x7w\",\r\n \"https://dailyuploads.net/dqcl45a61amy\",\r\n \"https://dailyuploads.net/rhkbzrodo6ou\",\r\n \"https://dailyuploads.net/cqrakbup91s4\",\r\n \"https://dailyuploads.net/yxskttjfo4h8\",\r\n \"https://dailyuploads.net/m6p6maeijff1\",\r\n \"https://dailyuploads.net/f15g1prokvks\"\r\n ]\r\n}\r\nhttp://wrapper.laughworld.net/lib/FileFactoryDownloadModule.conf :\r\n{\r\n \"list\": [\r\n \"http://filefactory.com/file/ebdz39d8dex/myfile42.encrypt\",\r\n (...)\r\n \"http://filefactory.com/file/1ycfrbml51ox/myfile7.encrypt\",\r\n \"http://filefactory.com/file/1k97tfd8ibu5/kdiff3-0.9.98-MacOSX-64Bit.dmg\",\r\n \"http://filefactory.com/file/5difpf82yog1/Newsgroup_collection.zip\",\r\n \"http://filefactory.com/file/6mlwn7iv1mv7/docword.enron.txt.gz\",\r\n \"http://filefactory.com/file/52sg5aurgkrz/Tiny_Wings__Andreas_Illiger___v2.1_os43_-Nitrox.rc330_8\r\n \"http://filefactory.com/file/6x9iujr8u6a5/php-5.6.14.tar.bz2\",\r\n \"http://filefactory.com/file/q29tth3j859/iBackupBot-Setup.dmg\",\r\n \"http://filefactory.com/file/6bcmlwfuw7wl/pokegoppsl.zip\",\r\n \"http://filefactory.com/file/4qqx4s5l36hn/iPhoneConfigUtility.dmg\",\r\n \"http://filefactory.com/file/5vqawo60iyb9/googlemobileadssdkios.zip\",\r\n \"http://filefactory.com/file/560caqad3k9h/mallet-2.0.8RC3.tar.gz\",\r\n \"http://filefactory.com/file/5ovqpwwp0w7h/609704981.ipa\",\r\n \"http://filefactory.com/file/1lpoyv8v2y73/Multiplayer_for_Minecraft_PE__v2.0_v2.012_Univ_os80_-Lo\r\n \"http://filefactory.com/file/2abv5ufb9gav/MtProtoKit-master.zip\",\r\n \"http://filefactory.com/file/5t8e4px5fod1/577499909.ipa\",\r\n \"http://filefactory.com/file/4zy55s6qayrh/intel_rst_7_mb_8.1.zip\",\r\n \"http://filefactory.com/file/12toqn6khwd3/MEAD-3.12.tar.gz\"\r\n ]\r\n}\r\nThe framework also periodically checks the external IP address of the iOS device, using DynDNS.\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 6 of 9\n\nWhen the framework is loaded, or when the external IP address changes, a random file from both hosting sites is\r\ndownloaded. It’s worth noting DailyUploads and FileFactory have affiliation programs (per thousand downloads).\r\nMedian file size is 15 Mb.\r\nDailyUploads links point to other iOS applications. They are also signed by nguyen tat hung and injected:\r\n$ yara -r iOS.GuiInject.yara DailyUploads\r\nipa_jb DailyUploads/com.infinear.call-clutch2.ipa\r\nipa_jb DailyUploads/com.axidep.polyglotvoicereader-clutch2.ipa\r\nipa_jb DailyUploads/com.contrast.mileagelog-clutch2.ipa\r\nipa_jb DailyUploads/com.kymatica.AUFX-Space-clutch2.ipa\r\nipa_jb DailyUploads/co.qapps.calcpro-clutch2.ipa\r\nipa_jb DailyUploads/com.pixiapps.ecoutemobile-clutch2.ipa\r\nipa_jb DailyUploads/com.jhnd.blender-clutch2.ipa\r\nipa_jb DailyUploads/com.jackadam.darksky-rc.ipa\r\nipa_jb DailyUploads/com.markelsoft.Text2Speech-clutch2.ipa\r\nipa_jb DailyUploads/com.giacomoballi.FindTower-clutch2.ipa\r\nipa_jb DailyUploads/com.venderbase.dd-wrt-clutch2.ipa\r\nipa_jb DailyUploads/com.vincenzoaccardi.itracking-clutch2.ipa\r\nipa_jb DailyUploads/com.realvnc.VNCViewer-clutch2.ipa\r\nipa_jb DailyUploads/com.yacreader.yacreader-clutch2.ipa\r\nipa_jb DailyUploads/com.plumamazing.iWatermark-clutch2.ipa\r\nAbusing the Injected Adware Library\r\nSo, a dynamic library asks a remote host using an insecure protocol for code to execute… What could possibly go\r\nwrong?\r\nBy intercepting and modifying the update response, we successfully load our code:\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 7 of 9\n\nThis is Arbitrary Code Execution using Man in the Middle attack. We should probably thank crackers, or\r\ndevelopers, for explicitly allowing NSAllowsArbitraryLoads  (insecure http protocol) in App Transport Security.\r\nHundreds of Samples\r\nUsing VirusTotal Retrohunt and some Yara rules, we find hundreds of samples.\r\nConclusion\r\nThe incentive for jailbreak is research, not piracy. Production devices must stay away from jailbreak and piracy.\r\nReal crackers never monetize their findings, and most developers provide free versions of their products, with\r\ntheir own ads. Those ad revenues go to the author instead of some random selfish cracker.\r\nAnd while we are on it, for the price of that latest iOS device, people could get hundreds of programs and improve\r\ntheir current device experience. They won’t even have to feel guilty for Apple as the mothership takes its cut on\r\nApp Store sales.\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 8 of 9\n\nConclusions regarding crackers earned money using hidden ads and fake downloads, users wasted data plans, or\r\npotential abuses of the injected adware library are left as an exercise to the reader.\r\nFor other deep analyses on hacks and attacks, check out SentinelOne’s other Security Research blogs.\r\nSentinelOne unifies next-generation prevention, detection, and response in a single platform to protect user\r\nendpoints and critical servers from all types of advanced attacks. Learn more about the SentinelOne Endpoint\r\nProtection Platform’s technology.\r\nSource: https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nhttps://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/"
	],
	"report_names": [
		"analysis-ios-guiinject-adware-library"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8d08791de5b7e2116c922546ce899f731543900.pdf",
		"text": "https://archive.orkl.eu/f8d08791de5b7e2116c922546ce899f731543900.txt",
		"img": "https://archive.orkl.eu/f8d08791de5b7e2116c922546ce899f731543900.jpg"
	}
}