How Meituan Built a Low‑Cost, Scalable iOS Malware Hunting System

Background

At Black Hat USA 2018, Meituan Security presented "Art of Dancing with Shackles: Best Practice of App Store Malware Automatic Hunting System," showcasing a large‑scale, automated solution for collecting and analyzing iOS applications.

Problem Statement

iOS is one of the most secure mobile operating systems, making it an attractive high‑value target for sophisticated attackers. Traditional manual analysis cannot keep up with the volume of malicious samples, and deep APT attacks often evade detection because sandbox solutions lack sufficient privileges.

System Overview

The solution consists of two major components: an App Crawl system that gathers apps from the App Store and third‑party sources, and a Sandbox analysis system that dynamically monitors app behavior using Frida, Raspberry Pi clusters, or full‑system emulation.

System Architecture

The architecture is divided into five modules:

Automatic Crawl System : Automates login, purchase, and download of apps from the App Store and other markets.

App Crack System : Removes Apple DRM to produce runnable IPA files for analysis.

Sandbox Analysis System : Uses real iOS devices, Raspberry Pi‑based emulators, and full VM emulation to capture runtime behavior.

Dynamic Tracking System : Collects logs such as file, network, XPC, IOKit, and profile events.

Decision Engine : Powered by the open‑source Nools rule engine to evaluate logs in real‑time or batch mode.

Workflow

The Crawl system logs into an Apple ID, purchases the target app, and downloads the IPA from iTunes.

The Crack system decrypts the DRM, producing an IPA that can run on jail‑broken devices or emulators.

Sandbox analysis runs the IPA either on a real device or on a Raspberry Pi‑based iOS virtual machine; Frida hooks are used to monitor behavior.

Collected logs are fed into the Nools decision engine, which applies rule sets to flag malicious or APT‑related activity.

Automatic Crawl & Crack Details

The Crawl subsystem has three parts:

App Meta‑information Crawler : Retrieves metadata (name, category, size, etc.) and handles regional restrictions by using different spiders for different Apple ID regions.

App Download Crawler : Reverse‑engineers the iTunes protocol to automate login, purchase, and download of IPA files.

DRM Import : Extracts the Sinf DRM data from Apple’s response and injects it into the downloaded IPA so it can be installed on analysis devices.

App Crack System

By reverse‑engineering StoreServices.framework and using an undocumented API, the team built a tweak that automates Apple ID login and DRM removal, enabling bulk decryption of apps for static and dynamic analysis.

Sandbox Analysis System

Two approaches are used:

Real‑device sandbox : Frida is deployed on jail‑broken iOS devices to hook system calls and capture behavior.

Raspberry Pi‑based iOS virtual machine : A lightweight emulator loads iOS binaries, re‑implements system libraries, and runs them on ARM hardware, providing a cost‑effective, scalable alternative to large device farms.

Both approaches generate extensive logs that are fed to the decision engine.

Decision Engine

The engine uses Nools, a JavaScript implementation of the Rete algorithm, to process continuous log streams and apply flexible rule sets for real‑time threat detection.

Conclusion

The presented pipeline demonstrates that large‑scale, automated iOS malware hunting is feasible using low‑cost hardware, open‑source tools, and a rule‑based decision engine, laying the groundwork for future AI‑driven threat analysis.