Hacking campaign targets iPhone users with data-stealing, location-tracking malware

Campaign delivers fake versions of WhatsApp and Telegram to victims - and those behind it have tried to make it look like a Russian attack when it isn't.
Written by Danny Palmer, Senior Writer

A sophisticated mobile malware campaign is gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package.

Once in control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone number, serial number, location, contact details, user's photos, SMS, and Telegram and WhatsApp chat messages.

Thirteen users -- all in India -- have been been compromised in the attacks, which have been detailed by Cisco Talos. Those infected use a range of iPhone models and are running iOS versions ranging from 10.2.1 to 11.2.6. The campaign has been active since August 2015.

The attackers take control by using the MDM package, which can give attackers complete control of the device and the ability to install fake versions of real apps.

The security company's researchers are unsure how attackers gained the extensive permissions required to operate the software on the affected iPhones, but suggest that extensive social engineering is used in order to trick users.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

This is especially likely to be the case given how the MDM enrollment process involves multiple steps and allowing the installation of additional certificates onto the device, something which researchers describe as equivalent to allowing administrator access to their device and the data on it.

Two different MDM services are used in the campaign, enabling system-level control of multiple devices from one location and the ability to install, remove and exfiltrate data from apps.

One method of stealing data comes via malicious versions of messaging services like Telegram and WhatsApp being pushed onto the compromised device via fake updates. The apps look legitimate to the user, but malicious code sends information -- including messages, photos and contacts -- to a central command and control server.

Deploying these apps requires a side-loading injection technique, which allows for the ability to ask for additional permissions, execute code and steal information from the original application.

Information left behind by the attackers include a certificate issued in September 2017 which contains a Russian email address. However, researchers say this has been inserted deliberately in an effort to divert attention away from the real attackers.

"We assume this is a false flag to point researchers toward the idea of a 'classical Russian hacker'. False flags are becoming more common in malware, both sophisticated and simple. It's an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere," wrote researchers.

Analysis of the campaign suggests that in one instance, the attackers used their own personal phone to test the MDM as names of devices include "Test" and "mdmdev".

Both of these devices share the same phone number and are registered on Vodafone India, leading researchers to "assess with high confidence" that the author of the campaign is based out of India.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

No information about the victims has been revealed, aside from that they're also all based in India. The low number of infected targets played a big role in how this campaign was able to remain under the radar for so long.

Talos said Apple had already actioned three certificates associated with the actor by the time they reached out and the two organisations have worked together to counter the threat. ZDNet contacted Apple, but hadn't received a reply at the time of writing.

While the campaign is highly targeted, it serves as a useful reminder to users that they need to be mindful which apps they provide permissions and access to on their smartphones.

"The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices," said researchers.


Editorial standards