Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Exodus' Spyware Found Targeting Apple iOS Users (threatpost.com)

Posted by BeauHD on from the threats-in-disguise dept.

The surveillance tool dubbed "Exodus" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report: Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. The good news is that Apple has revoked the affected certificates for this particular crop of apps.

3 of 28 comments (clear)

  1. Huh? by Dan+East · · Score: 4, Informative

    Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device

    What does that have to do with iOS? That's a Linux kernel vulnerability. The summary is totally mashing up the iOS and Android aspects into one glob.

    https://en.wikipedia.org/wiki/...

    --
    Better known as 318230.
    1. Re:Huh? by LostMyAccount · · Score: 5, Insightful

      Most security companies desperately want to sound relevant when it comes to iOS, and they know that low-rent tech "journalists" are more than happy to play fast and loose with vulnerabilities that are a mile wide on Android but easy to avoid on iOS.

      You can install Exchange server in less clicks of OK and Next than it would take for this "exploit" to work on iOS.

      Apple does need to figure out its enterprise certificate system, though. It should be a 2 or 3 step process to install enterprise apps on a phone not already managed by that same organization.

  2. Re:if i say "walled garden, my ass" by Jeremi · · Score: 2

    will it be too predictable?

    Dunno how your ass got involved, but this article seems to validate the effectiveness of the walled garden as a security mechanism, in that people who stayed within the walled garden (by only downloading their iOS apps from the App Store and not from third-party websites) were never vulnerable to being exploited by this app.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.