TrollInstall
TrollInstall is a shortcut app that lets you install IPA and TIPA files with SeaShell protection. SeaShell is an open-source malware that can easily be injected into any IPA file installed through TrollStore. Downloading IPAs from untrusted sources can compromise your device. With TrollInstall, you can check if SeaShell malware is injected into the IPA before installing the app.
What is TrollInstall?
TrollInstall is a script for the Shortcut app that checks for SeaShell malware present in IPA files. It automatically unzips the IPA file, checks if the "mussel" file is inside or searches for the CFBundleBase64Hash key in all ".plist" files. This helps you automatically determine if the IPA package was altered using the SeaShell script to take control of your iPhone.
When you install IPA files, especially popular paid packages for free from third-party sources, you may unknowingly install the SeaShell backdoor on your iPhone. This malware is easy to inject into IPA files for TrollStore and can give unauthorized access to your device, allowing intruders to remotely control the device, view text messages, photos, and more.
TrollStore does not offer any protection against malware and potentially malicious apps. However, MrDjBird released a simple yet effective TrollInstall shortcut that lets you check if the default version of SeaShell malware is present in the IPA. In my opinion, this is the best available solution to protect yourself from compromising the iDevice.
The latest version of TrollInstall includes rewritten OTA functionality, added beta-testing options, a menu when starting the shortcut manually, the ability to view the hacker's IP if the IPA contains malware and an additional menu after IPA checking.
Detecting SeaShell malware
For added protection, I highly recommend using the TrollInstall Shortcut to check if the IPA is free of SeaShell malware. This is the minimum step you should take to ensure your device's safety before installing apps through TrollStore.
Most developers creating TrollStore apps are transparent about their work and release the source code on GitHub. However, when you download a compiled IPA from a third-party source, you have no guarantee that the IPA hasn't been modified, which increases the risk of malware infection. Downloading IPAs from trusted sources can keep you safe.
Future releases of TrollInstall may introduce exciting new features such as Shortcut settings, support for TrollStore URL Scheme, IPA sandboxing, and an option to disable SeaShell.
TrollInstall was published on GitHub as an open-source project. The developer also released a SeaShell test IPA file packed with malware for testing purposes.
SeaShell manual protection
I've created a guide to help you stay safe from attacks through SeaShell. Here are my tips on detecting the SeaShell presence in an IPA file. TrollInstall streamlines this process with a shortcut, making it quicker to identify if an app may have been altered before installation.
- Unzip the IPA or TIPA file you want to install.
- Look out for suspicious executables in the app bundle. For example, SeaShell Framework might include an executable named "mussel," which is actually a Pwny payload.
- Check the Info.plist file for any suspicious entries. SeaShell might add a base64-encoded CFBundleBase64Hash entry containing a host pair (<host>:<port>).
- Verify the file's hash sum to ensure its integrity.
