Cybersecurity researchers have found the iOS version of the dangerous Android spyware that were targeting Android devices through apps on the official Google Play Store.
The malware which has been named as Exodus is the iOS version of the spyware and it was discovered by security researchers at LookOut during their analysis of its Android samples which they found last year.
The iOS version of Exodus was distributed outside of the official App Store, mainly through phishing websites that imitate Italian and Turkmenistani mobile carriers.
Apple does not allow direct installation of apps outside of its official app store. So, the iOS version of Exodus is abusing the Apple Developer Enterprise program, that allows enterprises to distribute their own in-house apps directly to their employees without having to use the iOS App Store.
According to a blog post by the researcher, each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.
However the iOS variant is less sophisticated than the Android version. But the spyware can still exfiltrate information from targeted iPhone devices such as contacts, audio recordings, photos, videos, GPS location, and device information.
The data obtained is then transmitted via HTTP PUT requests to an endpoint on the attackers-controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols.
It is evident that Exodus was “likely the product of a well-funded development effort” and aimed to target the government or law-enforcement sectors.
“These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,” the researchers say.
Exodus which was developed by Italy-based company called Connexxa S.R.L., was exposed last month when white hat hackers from Security Without Borders discovered nearly 25 different apps disguised as service applications on Google Play Store. It was later removed after being notified.
Exodus for Android usually consists of three distinct stages. In the first stage, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device.
The second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities.
In the third stage the infamous DirtyCOW exploit (CVE-2016-5195) is used to gain root control over the infected phones. When it is successfully installed, Exodus can perform extensive amount of surveillance.
The Android version was designed in such as way it runs on the affected even when the screen is switched off. It had infected thousands of devices but it is not known how many iPhones were infected by the iOS Exodus variant.
Apple has been notified regarding the spyware after which the tech giant has revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices.