Hacking Campaign Targets iPhone Users With Data-Stealing, Location-Tracking Malware

ZDNet reports of a new mobile malware campaign that is "gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package." From the report: Once in control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone number, serial number, location, contact details, user's photos, SMS, and Telegram and WhatsApp chat messages. Thirteen users -- all in India -- have been been compromised in the attacks, which have been detailed by Cisco Talos. Those infected use a range of iPhone models and are running iOS versions ranging from 10.2.1 to 11.2.6. The campaign has been active since August 2015. The attackers take control by using the MDM package, which can give attackers complete control of the device and the ability to install fake versions of real apps.

Two different MDM services are used in the campaign, enabling system-level control of multiple devices from one location and the ability to install, remove and exfiltrate data from apps. One method of stealing data comes via malicious versions of messaging services like Telegram and WhatsApp being pushed onto the compromised device via fake updates. The apps look legitimate to the user, but malicious code sends information -- including messages, photos and contacts -- to a central command and control server. Deploying these apps requires a side-loading injection technique, which allows for the ability to ask for additional permissions, execute code and steal information from the original application.

only ever bad news about apple

not that this anyone else is better but are they immune to bad public relations?

Re:only ever bad news about apple

[BeauHD+(Super+Mod)]

Beats the TRUMP campaign which will never be rid of the Russian Scandal. Especially once we impeach.

Re: only ever bad news about apple

It was a dark and Stormy Presidency.

Re: only ever bad news about apple

Youâ(TM)re delusional.

Re: only ever bad news about apple

[The+New+Guy+2.0]

Stormy Daniels isn't newsworthy, it's a story that's already known about Trump.

Re: only ever bad news about apple

LOL!

I still use my iPhone 6s and reduce my monthly bill from $80 to $50. As a phone and a video camera, the iPhone 6s isn't obsolete and I use it to make my videos on youtube. As a Sprint very special customer for 20+ years, Sprint will always give me a new iPhone for free if I decide to stop using the 6s as a phone in the next several years.

Also, I find AmazonTM the gretest thing since sliced bread and helps taking care of my health at retirement with the Amazon long tail revenue streams!

All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. You can even make video of yourself going to pick up AmazonTM parcel at the convenience store and post it on your youtube channel for more redundant revenue streams.

They also have a wide supply, the best of latte and clif/power bars at the best cost, espicially if you make a friend buy them for you with your own affiliate link!

onus: get some silver coins, view recommendations on my special Youtube channel dedicated to the topic! They constitute a fail-safe insurance strategy for your retirement!
--
Dwayne Johnson's Rampage As A Kaiju ("Weird Beast") Monster Movie

13 users in three years?

I'm quakin' in my boots, over here!

But wait

But wait, I thought the App Store made Apple immune to malware, which is why it's supposed to be so much better than Android, at the cost of not being able to run the apps you want without paying Apple for the privilege.

Oops!

Re:But wait

But wait, I thought the App Store made Apple immune to malware, which is why it's supposed to be so much better than Android, at the cost of not being able to run the apps you want without paying Apple for the privilege.

Oops!

It doesn't come from the App Store, genius. You have to sideload it and do other stupid shit to get this thing installed.

Re:But wait

Except you can't sideload apps onto an iPhone, that's the entire point of limiting users to only the App Store. Which would be great if Apple actually bothered trying to keep malware out of the App Store, which as this story - and countless others - prove, they don't.

Re:But wait

[The+New+Guy+2.0]

It's an Apple App Store error... they approved a piece of malware that used MDM software elevation to get through limits on typical apps.

Re:But wait

[The+New+Guy+2.0]

In the days of iPhone 4, they left holes allowing a site called jailbreak.me to allow alternate app stores like Cydia to exist on the phone... most of which were tests of features that are now part of the standard iOS.

This is where the MDM software "sideloads" in... it's gaining increased permissions that belong to MDM limiters, and instead it's malware.

Re:But wait

Yes, you can.

Re: But wait

You are so fucking stupid.

Re: But wait

Realtor.com app asked to be updated on screen after I had just updated to latest version. Never seen an update request in app before so I quit and deleted the app. Happened on a friends iPad same app.

Old Tricks

You know, these used to just be called "Trojans". But that long-winded description works, too.

Re:Old Tricks

[The+New+Guy+2.0]

This is a Trogran pretended to be MDM/antivirus... sort of like Norton.

Apple screwed up, film at eleven.

Fun statement: Because this is iOS, Apple can shut this down in 5 seconds. Why? Because every MDM for iOS has to have a cert signed by Apple for the push commands from the MDM to be sent to the devices.

So what this really means is a bunch of hackers successfuly paid Apple to create a malware cert for them. Then proceeded to create an automated installer for an MDM to sick on clueless users.

Can we finally admit that keeping users dumb is bad now? There's no amount of third party "protection" that will prevent this crap, and all it will wind up doing is just making it even more difficult for people and organizations to control or use the devices they own.

I can picture it now....EV Certs required to get a developer's cert. Or worse, wanna install an app? We'll need a copy of that Internet Driver's License of yours....

Re:Apple screwed up, film at eleven.

[The+New+Guy+2.0]

What we have here is a malware program that got certified by Apple... but this appears to only be in India's version of the app store. Cleanup should be quick, and it's less than 20 reported cases of trouble so far.

Re:Apple screwed up, film at eleven.

No. What we have here is a person that didn't bother to read the article and is speaking out of their ass.

You can install an enterprise certificate that allows installation of software outside the Apple Store. This is how businesses use internal software on iOS devices. In this case, social engineering was used to allow the certificates and have the users install the MDM. After that, these devices could be remotely controlled .

Re:Apple screwed up, film at eleven.

[93+Escort+Wagon]

What we have here is a malware program that got certified by Apple...

Based on the vague description in the article... I don’t believe that’s the case.

The article refers to a multistep process and tricking users into adding certificates as trusted. This sounds more like an end-around the App Store - if your phone trusts a certificate, you can load developer apps directly onto a phone via Xcode, Cydia Impactor, or other similar tools. You’re basically side-loading an app without having to get past the App Store’s restrictions.

Re:Apple screwed up, film at eleven.

[AHuxley]

The security services and police would not be the only ones with consumer product skills.

Re:Apple screwed up, film at eleven.

[TheFakeTimCook]

What we have here is a malware program that got certified by Apple... but this appears to only be in India's version of the app store. Cleanup should be quick, and it's less than 20 reported cases of trouble so far.

Less than 20 cases... IN THREE YEARS!

As Trojans go, this one is wildly UNsuccessful...

Re: Apple screwed up, film at eleven.

30 known cases.

Remember the time when Macs went 3 years without anyone knowing their machines were infected? That numbered at least 10000, and that's all they could confirm

Re:Apple screwed up, film at eleven.

[WankerWeasel]

MDM files don't need to be certified by Apple but installing them takes a decent bit. You receive multiple warnings and have to enter your password for the device. You then need to restart the device after installation. These are the same files that you'd install to allow your workplace to manage your device and secure it in a way they deem proper to have company email and other access from your device. Basically gives them full control to configure your device. Again, it's not something most would install by accident.

Re:Apple screwed up, film at eleven.

Dumbass writes comment that is wrong. Multiple dumbasses vote him up to 4 Informative.

Slashdot slide into irrelevance continues.

13 people!?! Why is this news?

Thirteen users ... have been been compromised in the attacks. ... The campaign has been active since August 2015.

13 people over 3 years, and it's news? That might be news if it was the "13 Angry Democrats" that Trump fellow keeps complaining about, or some other list of important-ish people of some sort, but I'm not going to bother reading the article to find out cause there should be some hint of that in the summary.

Re:13 people!?! Why is this news?

[The+New+Guy+2.0]

13 people getting their iPhone pwned is 13 people too many. The yell to Slashdot is putting everybody on alert that an iOS we thought was secure has its first bad hack.

Re:13 people!?! Why is this news?

[WankerWeasel]

This isn't a hack. It's tricking 13 really dumb people into installing a certificate on their phone after giving their passcode and then confirming that they understand they're giving the certificate owner full access to their device. Apple has multiple warnings in place here and the user is simply ignoring them. These MDM certificates are the same thing you'd install to give your workplace access to manage your device remotely and configure it securely to access company email and other files. This isn't a security exploit but rather an exploit of a couple really dumb people willing to hand over full access to their phone. They'd probably hand over their house keys just as easily.

Anti-Virus Hooks... do we still need them?

[The+New+Guy+2.0]

Seems like MDM is a codeword for what we call 'antivirus" on a PC/Mac. The antivirus developers have been given hooks that go all the way to BIOS, while a typical program can't touch system files nor the BIOS. We expect the certified antivirus programs to play by rules, but there's nothing preventing things like Norton's occasional behavior of starting P2P hole checks that end up overflowing the internet pipes.

So, here we are with a bunch of India cases of users trusting malware as their iPhone MDM/antivirus. Really, the operating system should be the only antivirus you need these days. So Apple, pull this app from the app store and replace the damaged phones.

Re:Anti-Virus Hooks... do we still need them?

Seems like MDM is a codeword for what we call 'antivirus" on a PC/Mac. The antivirus developers have been given hooks that go all the way to BIOS, while a typical program can't touch system files nor the BIOS. We expect the certified antivirus programs to play by rules, but there's nothing preventing things like Norton's occasional behavior of starting P2P hole checks that end up overflowing the internet pipes.

So, here we are with a bunch of India cases of users trusting malware as their iPhone MDM/antivirus. Really, the operating system should be the only antivirus you need these days. So Apple, pull this app from the app store and replace the damaged phones.

MDM stands for Mobile Device Manager. It's purpose is to allow the management of devices without physical presence for tasks like setting / enforcing security policies, (un / re)installing or updating applicatons, managing user preferences, network configuration, etc.

The closest thing on a PC / MAC is either Active Directory's Group Policies, or third party software like Puppet.

It has nothing to do with antivirus software.

The MDM app wasn't the issue either. Apple has no reason to blacklist an MDM app. The malware author's certs yes, but the apps themselves no. Don't blame an app for doing what the clueless user told it to do.

Also nothing an MDM app can do will survive a factory reset. Apple has no "damaged" phones to replace, but they really do need to do something about educating their ignorant users.

Also, your astroturfing is annoying even to the ACs, but to address that as well:

In the days of iPhone 4, they left holes allowing a site called jailbreak.me to allow alternate app stores like Cydia to exist on the phone... most of which were tests of features that are now part of the standard iOS.

This is where the MDM software "sideloads" in... it's gaining increased permissions that belong to MDM limiters, and instead it's malware.

That's a standard kind security vunerability, leftover debugging / test code, that you can find in just about anything. Also no legit iOS app "sideloads" on consumer devices. It's either downloaded from the App Store, or it's installed as an enterprise app from a device profile using Apple Configurator, and even the enterprise apps have to be signed using a cert issued by Apple to that enterprise.

It's an Apple App Store error... they approved a piece of malware that used MDM software elevation to get through limits on typical apps.

No, if you read TFA at all, you'd would have seen this: At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register.

So given a probable lack of physical access, we are left with classic social engineering of clueless users as a root cause. No amount, of protection provided by Apple could prevent that, unless Apple prohibited the user from using the device at all. But I'd imagine that level of "protection" would not be very profitable for Apple. Nor desirable by said users.

This is a Trogran pretended to be MDM/antivirus... sort of like Norton.

Once again, this has nothing to do with antivirus.

What we have here is a malware program that got certified by Apple... but this appears to only be in India's version of the app store. Cleanup should be quick, and it's less th

Re:Anti-Virus Hooks... do we still need them?

MDM is an acronym for Mobile Device Management. Of course, you would know that if you read the article, or had a business issued or connected device.

Re: Anti-Virus Hooks... do we still need them?

Uhh... You ask not to blame clueless users, but that's what everyone has been doing for Windows problems. 80% or more are dumb people trusting some random exe

TOTAL! WITCH! HUNT!

Thank you, and Good-nite Putin's America!

Soooo

[Snotnose]

An iOS clone, with nothing added, just different listeners for the data....

It wuz haxx0rz! Dey r haxx0rin!!1!

Top notch reporting, new new new slashdot style. Complete drivel that means diddly squat. Very beauhd, wow.

Did anyone else read headline as election related?

[Ungrounded+Lightning]

Hacking Campaign Targets iPhone Users With Data-Stealing, Location-Tracking Malware

Did anyone else initially read the headline as being about a political campaign using iPhone malware to research their target voters?