SAS 2019: Exodus Spyware Found Targeting Apple iOS Users

The surveillance tool was signed with legitimate Apple developer certificates.

SINGAPORE— The Exodus spyware that was recently found lurking in 25 different malicious apps on Google Play has been ported to the Apple iOS ecosystem.

The surveillance package can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices. Earlier this month, word came that Google had booted a raft of Exodus-laden apps.

According to Lookout, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program.

According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It’s a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE­2016­5195) to obtain root privileges on a targeted device.

In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

“Several technical details indicated that the software was likely the product of a well­-funded development effort and aimed at the lawful intercept market,” researchers said in an analysis shared with Threatpost ahead of a presentation at the Security Analyst Summit (SAS) 2019, which kicks off in Singapore this week. “These included the use of certificate-pinning and public key encryption for command-and-control (C2) communications, geo­restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features.”

Analysis of the Android samples led the researchers to several samples of an iOS variant, which further examination revealed to be served up on clever phishing sites. The adversaries spoofed both Wind Tre SpA, an Italian telecom operator, and TMCell, the state-owned mobile operator in Turkmenistan, to target iPhone users, according to Lookout.

In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple’s enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates.

“The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary, in­house apps to their employees without needing to use the iOS App Store,” Lookout researchers explained. “A business can obtain access to this program only provided they meet requirements set out by Apple. It is not common to use this program to distribute malware, although there have been past cases where malware authors have done so.”

The apps themselves dovetailed with the phishing sites, purporting to be help apps offered by the carriers. They instructed users to “keep the app installed on your device and stay under WiFi coverage to be contacted by one of our operators.”

Lookout’s analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction.

“Though different versions of the app vary in structure, malicious code was initialized at application launch without the user’s knowledge, and a number of timers were setup to gather and upload data periodically,” according to the analysis. “Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2. The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols.”

The good news is that Apple has revoked the affected certificates for this particular crop of apps.

Exodus is thought to be tied to an Italian company called eSurv, based in Catanzaro, in Calabria, Italy. It publicly advertises products like CCTV management systems, surveillance drones, facial- and license-plate recognition systems – and is now under investigation by Italian authorities, according to local news reports.

Lookout researchers said that they had uncovered further evidence linking Exodus to eSurv.

“Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L. and were signed using the name of an engineer who appears to hold equity in Connexxa,” according to the report. “This engineer’s name is also associated with [eSurv]. eSurv’s public marketing is centered around video surveillance software and image recognition systems, but there are a number of individuals claiming to be mobile security researchers working at the company, including one who has publically made claims to be developing a mobile surveillance agent.”

Moreover, eSurv was once a business unit of Connexxa. “The eSurv software and brand was sold from Connexxa S.R.L. to eSurv S.R.L. [in 2016],” the analysis noted.

And finally, each of the recently found phishing sites contained links to metadata such as the application name, version, icon and a URL for the IPA file.

“To be distributed outside the app store, an IPA package must contain a mobile provisioning profile with an enterprise’s certificate,” Lookout researchers noted. “All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

 

 

 

Suggested articles