The curious tale of a fake Carrier.app

Google Project Zero's Ian Beer analyzed a malicious iPhone app that was sideloaded onto a device using an enterprise certificate. The app contained six privilege escalation exploits, five of which were well-known and publicly available. However, the sixth exploit was unknown and did not follow the typical structure of other exploits. The unknown exploit seemed to be checking if it was running on an iPhone 12 or 13 and contained log messages that suggested it was waiting for read/write primitives. Further analysis revealed that the exploit was interacting with the Display Co-Processor (DCP), a coprocessor that runs its own firmware and has a remote procedure call interface. The DCP is a relatively unknown component, but the Asahi Linux project had reverse-engineered the API to talk to it. However, they were restricted to using Apple's DCP firmware, which limited their understanding of the DCP internals. Beer obtained the DCP firmware image from an iPhone system image and found that it was a Mach-O binary that had been fully stripped, making it difficult to understand. He noted that compromising the DCP could have significant consequences, given its potential access to system resources. The analysis of the unknown exploit and the DCP is ongoing, and Beer's findings highlight the complexity and challenges of understanding modern system-on-a-chip (SoC) architectures. The discovery of the DCP and its potential vulnerabilities raises concerns about the security of Apple devices and the need for further research and analysis. The malicious app was likely distributed through a phishing campaign, where the attacker would ask the carrier to disable the target's mobile data connection and then send a link to the fake app via SMS. The app was signed with an enterprise certificate, which allowed it to bypass Apple's App Store review process. The incident highlights the risks of sideloading apps and the potential for malicious actors to exploit vulnerabilities in Apple devices. It also underscores the importance of ongoing research and analysis to identify and mitigate potential security threats.