A dangerous targeted mobile malware campaign has been identified by security researchers, which is believed to have been active since August 2015. Researchers claim that the malware is discovered to be spying on 13 specific iPhones in India, which hints at the fact that this is a highly targeted campaign.
The attackers behind this campaign are also operating from India but using a Russian email address. The primary objective behind the launching of this new campaign is to steal data from the devices.
According to the findings of Cisco’s Talos security division, attackers are abusing MDM (mobile device management) protocol. MDM protocol is basically a kind of security software that is commonly used by large-scale enterprises for controlling and enforcing policies on mobile devices.
In the campaign, the MDM protocol is remotely deploying and controlling malicious applications. Apple explains that MDM protocol “uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.”
It is worth noting that for enrolling an iOS device into the MDM protocol, a user has to manually install enterprise development certificate, which is obtained by enterprises via the Apple Developer Enterprise Program and the configuration file of the protocol is delivered via email or webpage using Apple Configurator.
The attacker(s) enrolled the iPhones with two open source iOS MDM servers to gain full control of the device and once this was done, a dynamic link library was injected to commonly used apps like WhatsApp and Telegram on the Apple mobiles. This was made possible by using BOptions sideloading technique due to which the injection library could get additional permissions, steal data and execute code from the authentic application apart from other functions.
The attacker(s) have deployed five malicious applications to test the device’s functionality, steal SMS messages contents, send out device location information and exfiltrate data. As of now, security researchers aren’t sure how the devices were enrolled onto the MDM server. Considering that every step of the enrollment procedure involves user interaction, like installation of certificate authority on the iPhone, it isn’t yet clear how attackers enrolled 13 specific iPhones into their MDM server.
It is, however, speculated that enrollment could have been ensuring by gaining physical device access but researchers also assume that it social engineering might also have helped attackers.
Talos researchers warn that installing unverified provenance certificates can be extremely dangerous for iPhone users because when a certificate is installed outside of the trusted certificate chain of Apple iOS, the device becomes exposed to third-party attacks like this one. Moreover, the MDM certificate is equal to letting someone obtain administrator-level access to the device.
Apple has been notified about the campaign by Talos researchers, and the iPhone maker has annulled the five digital certificates that the attacker has been using.
Image credit: Depositphotos