The latest findings of security researchers at security firm Lookout and privacy firm Security Without Borders are not only groundbreaking but concerning. Reportedly, there is now an iOS version of a dangerous strain of Android malware, which is based on the ‘lawful intercept’ software sold and used by governments and law enforcement authorities.
Researchers have dubbed this malware as Exodus and its installer package is hidden inside the APKs of phishing websites and Play Store applications. The phishing websites are mainly those of Italian and Turkmenistani mobile carriers.
The malware is developed by Connexxa, an Italian app developer who provides surveillance tools and software to Italian security agencies. Adam Bauer from Lookout Security, who discovered the iOS variant, stated in a recent post that:
“Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port.”
Ironically, this is the software that governments and law enforcement authorities across the globe use quite frequently. The Android spyware strain was identified earlier in 2019 on the Google Play Store. It is worth noting that the infected app has to be installed manually by the user and it is not possible to get your device infected with Exodus through random browsing. Perhaps, this is exactly what the malware developer wants it to do.
Another alarming fact is that Exodus is quite a sophisticated malware that comes with a dropper to obtain key data about the device including the phone number and IMEI number. The information is then transferred to a C&C server. Once this is done, the malware launches its second phase of infection in which various binary packages are activated to track the device.
There is a third stage of infection as well in which DirtyCOW, a Linux exploit, is launched to acquire root access and steal all the data stored on the phone including passwords, chat logs, and contacts information. At the same time, malware can obtain audio and video recordings.
Since Google updated DirtyCow back in 2016 all those devices that have been recently updated are safe from the third stage at least and the maximum damage Exodus can cause to updated phones is stealing data from other installed applications.
According to Lookout, the iOS variant is not as sophisticated as the Android version, and the iOS version hasn’t yet made an appearance on the official Apple App Store. The Android variant was discovered by Security Without Borders researchers on the Play Store while it was targeting local Italian ISP users.
Researchers state that the spyware is equipped with advanced spying capabilities and can help the attacker gain full control of the device. Furthermore, researchers revealed that there are roughly 25 different applications infected with Exodus that have been uploaded on the official Play Store within the past two years.
Finding the iOS variant was quite a challenge for the researchers since it is distributed sneakily, but Lookout security firm’s researchers managed to identify it. The infected apps are disguised as mobile carrier assistant apps but these are capable of extracting all sorts of information including photos and GPS location.
However, the good news is that the number of affected devices is quite low as of now, roughly in the hundreds or thousands so far. Considering that it is a targeted campaign, therefore, the main objective of the attackers can be to spy on certain users or just cause chaos among Android and iOS users.