Posted on
July 16, 2018 at
2:44 PM

The researchers from Cisco’s Talos division have identified yet another campaign that targets mobile devices in . According to reports, the campaign has been active for nearly three years and is found to be spying to 13 very specific belonging to users.

A three-year-old malware campaign detected

According to the new discovery made by Cisco’s Talos security division’s researchers, a targeted malware campaign aimed at 13 iPhones owned by Indian users has been discovered. The campaign has been active since August 2015, and the individuals responsible for the campaign are believed to also be located in India.

However, researchers noted that the attackers are using an email address connected to Russia. So far, the main goal of the campaign, as reported by researchers, seems to be theft from targeted devices.

Researchers have found that the campaign works by abusing mobile device management, or MDM, protocol. This protocol is a security of sorts, and it is usually employed by large corporations that wish to enforce policies on various smartphones. As part of the campaign, this MDM protocol is used for deploying and controlling malware-infected apps.

According to Apple, the MDM protocol is delivering wake-up messages by using APNS (Apple Push Notification Service). After that, the device connects to a web service (which is predetermined) and retrieves various commands.

An interesting thing regarding the MDM protocol is that the device can only be enrolled into it via the manual installation of the enterprise development certificate. This can only be obtained by firms through ADEP (Apple Developer Enterprise Program). Additionally, the protocol is being delivered through a webpage or an email that is using Apple Configurator.

According to researchers, the attackers managed to enroll these specific iPhones via the use of two iOS MDM servers, which are both open source. That way, they were capable of taking full control of the devices. After that, they injected a dynamic link library to some of the most popular apps, like Telegram or WhatsApp.

To do this, the attackers used the sideloading technique called BOptions, which allowed them to get additional permissions on the device. Through abuse of these permissions, they were able to execute codes from different apps and to steal data from the devices.

How was it done?

At this point, hackers were free to deploy various malicious apps, and they decided to deploy five of them in order to test the functionality of the device. Additionally, they stole the content of SMS messages, exfiltrated data, and even sent out the location info of the devices. Currently, the researchers are still trying to determine whether or not the devices in question are enrolled onto one of the MDM servers.

The biggest mystery regarding the campaign is how the attackers managed to enroll up to 13 of these iPhones into the MDM server. This is unclear since each step of the procedure requires various forms of user interaction.

One proposed solution includes the possibility of hackers getting their hands on the physical devices. Another assumption includes the possibility of social engineering. For now, Talos researchers are warning users not to install unverified provenance certificates. Doing so may put the users, as well as their devices, in danger.

They stated that allowing the phones to be enrolled into an MDM server is basically equal to giving someone admin-level access to the entire device. After making this discovery, the researchers were quick to notify Apple of the incident. The company has then annulled the five digital certificates used by the attackers.


Indian iPhones Beware - There is a New Malware in Town  - wAAACwAAAAAAQABAEACAkQBADs  - Indian iPhones Beware – There is a New Malware in Town

Article Name

Indian iPhones – There is a New Malware in Town


The security researchers from Cisco’s Talos security division have identified yet another malware campaign that targets mobile devices in India. According to reports, the campaign has been active for nearly three years and is found to be spying to 13 very specific iPhones belonging to Indian users.


Ali Raza

Publisher Name


Publisher Logo

Source link


Please enter your comment!
Please enter your name here