New TrollStore tool permanently installs apps on non-jailbroken iOS devices
TrollStore was released on September 3, 2022 as a revolutionary new iOS tool that allows users to install any application permanently on a non-jailbroken device. This is a feature that threat actors have been waiting for for a long time.
With the arrival of TrollStore, the security of iOS devices is seriously threatened. For your information, jailbreaking the device means modifying the software to remove restrictions from the carrier or manufacturers.
Why is TrollStore a threat?
That’s because, due to Apple’s policies, the distribution of modded applications was almost impossible than the modding process itself. The tool affects all iOS versions from iOS 14.0 to 15.4.1.
On GitHub, the developers explained that,
“TrollStore is a permasigned jailbroken app that can permanently install any IPA you open in it. It works because of the CoreTrust bug that ONLY affects iOS 14.0 – 15.4.1 (15.5b4). NOTE: TrollStore will NEVER work on anything higher than iOS 15.5 beta 4 (No not on iOS 15.5, not on iOS 15.6, and certainly not on iOS 16.x), please stop asking!”
According to GuardSquare, by combining two recently discovered vulnerabilities (CVE-2022-26766 and CVE-2021-30937), TrollStore helps an adversary gain root privileges and sign the tool with arbitrary privileges. Therefore, it becomes possible to run the app with arbitrary permissions/properties.
GuardSquare security researcher Jan Seredynski explained in their blog post that before the introduction of this tool, modded app users used to jailbreak their devices or use different approaches to install repackaged applications.
But TrollStore takes away this effort and dramatically reduces the need to install modified apps as the user does not need to jailbreak the device. There are serious consequences for app developers because jailbreak detection will no longer remain a “valid stop to reduce the majority of repackaging efforts,” Seredynski wrote.
Also, most common repackaging detection solutions would not detect the issue due to the CVE-2021-30937 vulnerability that allows an adversary to sign the app with an arbitrary BundleID or TeamID.
How to reduce the threat?
It is important that repackaging detection solutions expand their boundaries beyond common verification tools such as TeamID and BundleID, such as iXGuard. They must confirm additional indications of composition because TrollStore re-signs the app with a new certificate.
Furthermore, it is important to detect the actual changes of application resources/codes. Finally, multiple security layers must ensure maximum mobile app security.
- New tool detects fake 4G cell towers
- New Underactor tool exposes pixelated text to expose data
- New tool lets teens report, remove nude photos online
- Microsoft’s new tool detects and reports pedophiles from chats
- Cellebrite’s new tool unlocks almost any iOS or Android device