July 16, 2018 at
The security researchers from Cisco’s Talos security division have identified yet another malware campaign that targets mobile devices in India. According to reports, the campaign has been active for nearly three years and is found to be spying to 13 very specific iPhones belonging to Indian users.
A three-year-old malware campaign detected
According to the new discovery made by Cisco’s Talos security division’s researchers, a targeted malware campaign aimed at 13 iPhones owned by Indian users has been discovered. The campaign has been active since August 2015, and the individuals responsible for the campaign are believed to also be located in India.
However, researchers noted that the attackers are using an email address connected to Russia. So far, the main goal of the campaign, as reported by researchers, seems to be data theft from targeted devices.
Researchers have found that the campaign works by abusing mobile device management, or MDM, protocol. This protocol is a security software of sorts, and it is usually employed by large corporations that wish to enforce policies on various smartphones. As part of the campaign, this MDM protocol is used for deploying and controlling malware-infected apps.
According to Apple, the MDM protocol is delivering wake-up messages by using APNS (Apple Push Notification Service). After that, the device connects to a web service (which is predetermined) and retrieves various commands.
An interesting thing regarding the MDM protocol is that the device can only be enrolled into it via the manual installation of the enterprise development certificate. This can only be obtained by firms through ADEP (Apple Developer Enterprise Program). Additionally, the protocol is being delivered through a webpage or an email that is using Apple Configurator.
According to researchers, the attackers managed to enroll these specific iPhones via the use of two iOS MDM servers, which are both open source. That way, they were capable of taking full control of the devices. After that, they injected a dynamic link library to some of the most popular apps, like Telegram or WhatsApp.
To do this, the attackers used the sideloading technique called BOptions, which allowed them to get additional permissions on the device. Through abuse of these permissions, they were able to execute codes from different apps and to steal data from the devices.
How was it done?
At this point, hackers were free to deploy various malicious apps, and they decided to deploy five of them in order to test the functionality of the device. Additionally, they stole the content of SMS messages, exfiltrated data, and even sent out the location info of the devices. Currently, the researchers are still trying to determine whether or not the devices in question are enrolled onto one of the MDM servers.
The biggest mystery regarding the campaign is how the attackers managed to enroll up to 13 of these iPhones into the MDM server. This is unclear since each step of the procedure requires various forms of user interaction.
One proposed solution includes the possibility of hackers getting their hands on the physical devices. Another assumption includes the possibility of social engineering. For now, Talos researchers are warning users not to install unverified provenance certificates. Doing so may put the users, as well as their devices, in danger.
They stated that allowing the phones to be enrolled into an MDM server is basically equal to giving someone admin-level access to the entire device. After making this discovery, the researchers were quick to notify Apple of the incident. The company has then annulled the five digital certificates used by the attackers.