An apparently well-funded surveillance malware operation, thought to be aimed at the 'lawful-intercept' market, has succeeded in circumventing Apple security measures in order to infect iPhones according to researchers. In a presentation at the Kaspersky Security Analyst Summit on Wednesday, researchers from Lookout will detail how the Exodus surveillanceware agent abused the Apple Developer Enterprise program in order to circumvent the Apple App Store.
The story starts early last year when researchers from Lookout discovered the Exodus surveillance operation, thought to have been under development for at least five years, had managed to bypass security at the Google Play Store and infected Android apps were available for download there. The use of certificate pinning and public key encryption for command and control (C2) communications, as well as geo-restrictions imposed when delivering the second stage of the malware, along with what Lookout calls a "comprehensive and well implemented suite of surveillance features" suggests that government agencies were likely behind the operation.
Those apps were removed from the Google Play Store at the time of the deployment in the latter half of 2018, thanks to the cooperation between Lookout and Google itself. Now, it appears that a slightly less sophisticated version of the surveillance malware has managed to infect iPhone users courtesy of iOS apps that have been distributed outside of the official Apple App Store. Jake Moore, a cyber security specialist at ESET, advises that while it is "rare for hackers to break into Apple's locked down ecosystem" it's a myth that Apple devices are impenetrable. "This just goes to show that it is worth staying vigilant however secure you think your device is" Moore concludes.
Analysis of those earlier Android samples "led to the discovery of infrastructure that contained several samples of an iOS port" according to Adam Bauer, a senior staff security intelligence engineer at Lookout. By abusing the Apple Developer Enterprise program the App Store can be circumvented and users conned into installing the malware. It seems that phishing sites imitating Italian and Turkmenistan mobile carriers have been the primary distribution route.
The Apple Developer Enterprise program itself allows organizations to distribute in-house apps to their employees without needing iOS App Store access. "It is not common to use this program to distribute malware" Adam Bauer says, "although there have been past cases where malware authors have done so." While not as sophisticated as the Android version, Bauer confirms that audio recordings, photos, videos, GPS location and contacts could be exfiltrated from iOS devices and remote audio recording activated as well.
Ian Thornton-Trump, head of cybersecurity at AmTrust Europe, suggests that this could well be the reason that Apple has now instituted mandatory two-factor authentication (2FA) for members of the Apple Developer community. "With the recent news that a "Cyber Mercenary Team" of ex-NSA folks was actively implanting iPhones with surveillance malware on behalf of an opposing middle eastern state" Trump says "the issue of iPhone security is once again under public scrutiny." He warns that if you bypass the Apple eco-system then any consequences are on you. "It's important to understand that what apps you install on your iPhone is almost as important as the physical security of your iPhone" Trump adds "a risk-based approach is always the right choice here with the cardinal rule of less apps = less opportunities for malware."
Meanwhile, Bauer concludes that "Lookout has shared information about this family with Apple, and they have revoked the affected certificates. No new instances of this app can be installed on iOS devices and existing installations can no longer be run."
