iOS spyware steals texts, photos, contacts, switches on voice recorder

Researchers say they have identified malware which aims to steal data from iOS devices as part of a targeted attack.
Written by Steve Ranger, Global News Director

Security researchers have identified spyware specifically designed to conduct espionage against users of iOS devices.

The researchers at security company Trend Micro said they found the spyware as part of their investigation into an active cyber-espionage operation aimed at the military, governments, and defence industries - a campaign whose other tools include phishing emails and websites and malicious iframes injected into legitimate websites.

"While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack," the researchers said in their analysis.

The goal of the malware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control server which the researchers said was still operational earlier this week.

One installed on iOS 7, the spyware - dubbed XAgent - hides its icon and runs in the background immediately. When the researchers tried to terminate it by killing the process, it would restart almost immediately.

Trend Micro noted that installing the malware on an iOS 8 device yields different results: the icon is not hidden and it also cannot restart automatically. This suggests that the malware was designed prior to the release of iOS 8 last September.

Trend Micro said the malware can:

  • Collect text messages
  • Get contact lists
  • Get pictures
  • Collect geo-location data
  • Start voice recording
  • Get a list of installed apps
  • Get a list of processes
  • Get the wi-fi status

The researchers note that the code structure of the malware is very organised, adding: "The malware looks carefully maintained and consistently updated." A variant of the spyware is focused on recording audio but can only be installed on jailbroken devices.

Trend Micro said the method of installing the XAgent malware is unknown, but warned that the iOS device doesn't have to be jailbroken. "We have seen one instance wherein a lure involving XAgent simply says 'Tap Here to Install the Application'," the researchers said, adding the app uses Apple's ad hoc provisioning, which is a standard distribution method for iOS App developers.

Trend Micro said there may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.

Apple had not responded to a request for comment at the time of publication.

Editorial standards