Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Exodus' Spyware Found Targeting Apple iOS Users (threatpost.com)

Posted by BeauHD on from the threats-in-disguise dept.

The surveillance tool dubbed "Exodus" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report: Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. The good news is that Apple has revoked the affected certificates for this particular crop of apps.

28 comments

  1. Re:Trump will WIN in 2020! #MAGA by BladeMelbourne · · Score: 1

    Speaking about exploited, dirty cows... /I didn't copy this on write

  2. Farah, release my peeps! by Anonymous Coward · · Score: 0

    Let them be free. They wanna be free.

  3. It can only exfiltrate what you agree to send by SuperKendall · · Score: 1

    Of note is this last part:

    Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data

    Since it only uses documented API's, that means separate prompts each to access location, photos/video, and contacts. I'm not even sure how it would get to user-recorded audio recordings outside the app unless it also popped up a browser for iCloud Drive files... That's a pretty big set of permission asks for any one app, between that and having to download and trust the enterprise certificate for the apps (in itself a bit of a process) I wonder how many takers they actually get.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:It can only exfiltrate what you agree to send by Anonymous Coward · · Score: 0

      People are used to clicking "OK", "Allow" or "I Agree" for everything. You would be surprised.

  4. if i say "walled garden, my ass" by gTsiros · · Score: 1

    will it be too predictable?

    --
    Looking for people to chat about multicopters, coding, music. skype: gtsiros
    1. Re:if i say "walled garden, my ass" by Anonymous Coward · · Score: 1

      Always. And this appears to be DOA before anything happened to iOS users.

      Android users on the other hand get fucked daily in the ass by poor security.

    2. Re:if i say "walled garden, my ass" by Anonymous Coward · · Score: 1

      So you have to sideload this app by either first rooting your iphone, or by applying for a developer account and using that hack.
      Unlike android this app can not access any other apps data like my keepass file, only api approved data like photos contacts etc.

      You call it a walled garden, I call it proper security.

      Sure IOS does not support MAME, but I would rather have a secure platform for online trading and banking than another device to run TacScan.

    3. Re:if i say "walled garden, my ass" by Jeremi · · Score: 2

      will it be too predictable?

      Dunno how your ass got involved, but this article seems to validate the effectiveness of the walled garden as a security mechanism, in that people who stayed within the walled garden (by only downloading their iOS apps from the App Store and not from third-party websites) were never vulnerable to being exploited by this app.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:if i say "walled garden, my ass" by Anonymous Coward · · Score: 0

      To say that would take courage.

    5. Re: if i say "walled garden, my ass" by DontBeAMoran · · Score: 1

      So according to you, this explains their "rounded corners" fetish?

      --
      #DeleteFacebook
    6. Re: if i say "walled garden, my ass" by Anonymous Coward · · Score: 0

      I'd rather have a ball peen hammer, your iGadget, and a flat metal surface.

    7. Re: if i say "walled garden, my ass" by Anonymous Coward · · Score: 0

      Did you forget about the spyware incident a few months back that was on the app store?

      Just because this specific malware developer chose not to try going through the app store doesn't mean much

    8. Re: if i say "walled garden, my ass" by Anonymous Coward · · Score: 0

      So you're Just going to ignore all the other incidences where malware made it through the app store just because this one didn't even try?

      Okay, that makes sense.

    9. Re:if i say "walled garden, my ass" by gnasher719 · · Score: 1

      No, you don't have to root the iphone or apply for a developer account. It works differently. Someone used the credentials from an Enterprise Account. To install the app, all you have to do is to install a profile created with your Enterprise Account.

      Of course if you are asked to install some company's profile, you should be very suspicious. Unless you are an employee of this company, which is the only case where it would be legitimate. And even then you should be very suspicious.

    10. Re:if i say "walled garden, my ass" by tlhIngan · · Score: 1

      So you have to sideload this app by either first rooting your iphone, or by applying for a developer account and using that hack.
      Unlike android this app can not access any other apps data like my keepass file, only api approved data like photos contacts etc.

      You call it a walled garden, I call it proper security.

      Sure IOS does not support MAME, but I would rather have a secure platform for online trading and banking than another device to run TacScan.

      You can have MAME on iOS, lots of people do it. You don't need a developer account or an enterprise certificate, either, as long as you have Mac and physical access to the iOS device (fully unlocked).

      As long as you can use XCode, you can load anything you can build on to your iOS device.

      Of course, if some random person asks to see your phone and plugs it into their computer, that's an extremely suspicious move...

  5. Huh? by Dan+East · · Score: 4, Informative

    Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device

    What does that have to do with iOS? That's a Linux kernel vulnerability. The summary is totally mashing up the iOS and Android aspects into one glob.

    https://en.wikipedia.org/wiki/...

    --
    Better known as 318230.
    1. Re: Huh? by Anonymous Coward · · Score: 0

      Nothing but the best from BeauHD.

    2. Re:Huh? by Anonymous Coward · · Score: 1

      Apple ported the exploit to Darwin/XNU within days of CVE20165195 being announced, as they didn't want to fall behind Linux. Most features of Linux end up in XNU.

    3. Re:Huh? by LostMyAccount · · Score: 5, Insightful

      Most security companies desperately want to sound relevant when it comes to iOS, and they know that low-rent tech "journalists" are more than happy to play fast and loose with vulnerabilities that are a mile wide on Android but easy to avoid on iOS.

      You can install Exchange server in less clicks of OK and Next than it would take for this "exploit" to work on iOS.

      Apple does need to figure out its enterprise certificate system, though. It should be a 2 or 3 step process to install enterprise apps on a phone not already managed by that same organization.

  6. Re: Trump will WIN in 2020! #MAGA by Anonymous Coward · · Score: 0

    Why does slashdot allow this crap to be published and then censors people who question thier editors?
    Here's my answer- because they like the message that these people are putting out.
    The Nazis , the trumptards, the orange man good/bad folks, are all put here by the editors.
    This site has become toxic

  7. Re: Trump will WIN in 2020! #MAGA by Anonymous Coward · · Score: 0

    You must be new here right?

  8. "iOS spyware found targetting apple iOS users" by themusicgod1 · · Score: 1

    The surveillance tool dubbed "iOS" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report:

    According to Lookout Security, it turns out that iOS versions had become in the "App Store", a phishing site that imitates legitimate software repositories. These are notable in that they used the "Apple Developer Enterprise" program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a multi-stage affair, starting with a lightweight mp3 player that then escallates to a large handheld phone that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the brain-computer interface to obtain root privileges on a targeted person. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

    In order to spread the iOS app outside of the official App Store, the cybercriminals used Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that this iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. There is no good news.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  9. Stuff that matters? by Anonymous Coward · · Score: 0

    So why has /. not reported the far more egregious instance of Huawei caught spying in Pakistan?

    https://www.bbc.co.uk/programmes/n3ct4p0f

    https://www.bbc.co.uk/news/technology-47856098