The recent Exodus spyware that was found in 25 apps from the Google Play Store was originally thought of as another example of Android’s compromised system. However, the malicious apps have now also been ported to Apple’s iOS platform.
For the most part, iOS is considered more secure than Android because it is a closed system. Google’s market leading OS is open source and more vulnerable. Attackers are increasingly using apps as a way to load malware onto devices and it sees Apple’s platform is just as vulnerable as Android.
Exodus is a surveillance package that can access audio recordings, track location data, take contact information, and steal photos from an infected smartphone. When the attack was discovered on Android, Google acted and removed numerous infected applications from the Play Store.
Lookout and Security Without Borders report Exodus has now been found on iOS apps. While Apple’s App Store would weed out such offending apps, it seems attackers were loading malware onto apps available outside the App Store.
This is possible by creating phishing websites that trick users into believing they are legit portals from mobile carriers in Italy and Turkmenistan. By doing this, the websites circumnavigated Apple’s Developer Enterprise program.
“Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market,” Lookout researchers told Threatpost ahead of a presentation at the Security Analyst Summit (SAS) 2019. “These included the use of certificate-pinning and public key encryption for command-and-control (C2) communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features.”
Clever phishing websites were able mimic Italian telecom network Wind Tre SpA and Turkmenistan state operator TMCell. Getting applications on iOS apps on the App Store is normally very hard to do (without a jailbreak) if they are infected. However, the hackers were able to use the fake websites to bypass Apple’s checks and gain legitimate certificates.
“The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary, inhouse apps to their employees without needing to use the iOS App Store,” Lookout researchers add. “A business can obtain access to this program only provided they meet requirements set out by Apple. It is not common to use this program to distribute malware, although there have been past cases where malware authors have done so.”
The apps were able to link with the supposedly legitimate phishing websites and provide help to the carriers. Users thought they had a link to their carrier through the app but were really interacting with the Exodus malware.
To ensure users continued to fall for the ruse, the apps said they should “keep the app installed on your device and stay under WiFi coverage to be contacted by one of our operators.”