A new surveillance app has been discovered by security researchers which targets iPhone users.
The popular mobile security firm known as Lookout found the malicious app, they said its developer abused their Apple-issued enterprise certificates to bypass the store to infect the victims.
As soon as the application is installed, it collects the victim’s contacts, photos, videos, real time location, device recordings and any other private information. It can be accessed remotely.
The security experts said this malicious app was spread via fake websites to be mobile carriers in Turkmenistan and Italy. To make that possible, the operators of the Exodus appear to have abused Apple’s Developer Enterprise Program, a provisioning mechanism which allows enterprise to distribute proprietary in-house IOs apps to employees without having to use Apple’s mobile app store.
It has been discovered that the same application was used for Android surveillance previously. The same type of app previously discovered in Android given the name Exodus which was developed by the same Italian Surveillance app maker Connexxa, a known provider of surveillance tools to Italian authorities.
Lookout blog in 2018 says that a sophisticated Android surveillance agent that appears to have been created for the lawful intercept market. The agent appeared to have been under development for at least five years and consists of three stages.
Firstly, a small dropper then a second stage payload that contains multiple binaries (where most of the surveillance functionality is implemented), and finally a third stage which typically uses the DirtyCOW exploit (CVE-2016-5195) to obtain root. The Security Without Borders recently published an analysis of this family.
It had the ability to root Android devices and possess an advanced set of spying features that give attackers full control of infected devices. The apps themselves pretends to be carrier assistance apps which instructs users to “keep the application installed on their device and stay under Wi-Fi coverage to be contacted by one of our operators”.
The different versions of the app vary in structure, malicious code was initialized at application launch without the user’s knowledge, and a number of timers were setup to gather and upload data periodically.
The uploaded data was queued and transferred via HTTP PUT requests to an endpoint on the C2. The ios apps leverage the same C2 infrastructure as the Android version and uses similar communications protocols. Push notifications are also used to control audio recordings.
In Kaspersky security summit in Singapore, Lookout security experts will give the presentation on the malicious ios App known as Exodus.