Cyberattackers have used a bogus mobile device management (MDM) system to target a small – but presumably high-value – set of iPhones in India, in a cyberespionage campaign that has some unusual hallmarks.
Researchers said Thursday that attackers deployed an open-source MDM – which is typically used in business environments to provide security, policy-enforcement, expense tracking and application management across a company’s mobile workforce – and somehow convinced 13 iPhone users on the subcontinent to enroll to the platform.
MDM systems provide a way to deploy approved apps to enrolled devices – the threat actors used this to their advantage to push out five different spy features to the phones, by altering legitimate apps. Two of the apps appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various forms of information, according to the security firm. The data includes phone numbers, phone serial numbers, contacts, user photos, text messages, and Telegram and WhatsApp chat messages.
“The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India,” Cisco Talos researchers said. “The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device.”
One notable technical aspect of the effort is that the malicious code achieves periodic code execution when the legitimate app bundled with it is running.
“One technique is to modify the app’s code at runtime to execute the malicious code — this has been observed in previously analyzed iOS malware,” researchers explained. “Instead, this malware remains almost entirely independent of the app, and gains execution by creating a timer that eventually executes the malicious code in a background thread. From there, it schedules tasks to be executed asynchronously in the background by leveraging the apps’ background task queue. Ultimately, this means that the malicious code is invisible to the user of the app, and can be easily reused alongside any real application.”
Dave Ginsburg, vice president of marketing at Cavirin, told Threatpost that the techniques used, though initially targeted at a small number of devices, can scale to orders of magnitude more.
“As more employees use their personal smartphones for corporate access, many times not under control of an enterprise device management (EDM) system, IT must take note of this as an additional threat, since user training is only so effective,” he said. ‘We may see a shift to additional EDM deployment by smaller enterprises.”
Social Engineering to the Fore
When it comes to initially compromising the devices, there’s a significant social-engineering aspect to the effort, too. Cisco Talos researchers explained in an analysis posted Thursday that each step of the enrollment process needs some type of user interaction.
First, the user is asked to first install a certificate authority, by clicking “Allow” when prompted; after that, he or she will be asked to click “Install.” From there, the device is ready to be enrolled and the attacker is able to control the device.
Then, a pop-up appears when the attacker pushes a new app to the user device, which also requires an “Allow.”
“Users should be aware that installing additional certificates on their device to allow remote management can result in potential malicious activity,” researchers noted. “By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this. Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc. This must be done with great care in order to avoid security issues and should not be something the average home user does.”
A Three-Year Effort and Possible Attacker Profile
Cisco Talos worked with Apple to counter the threat, which has been active since August 2015 according to logs. The information collected during that time could be used for basic espionage purposes, or for extortion or manipulation of the victims.
The researchers declined to discuss additional aspects of the case, such as who the targets are or whether this is a nation-state-type attack.
“At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was,” they said.
However, the logs, located on the MDM servers and the malware’s command-and-control (C2) server, also allowed the researchers to determine that the actors behind the effort are likely India-based.
“The attacker left essential data on the servers, such as emails and usernames,” researchers said. “As part of the attacker’s development and testing it appears that they compromised their device — we observed a device named ‘test’ or ‘mdmdev.’ The log files we identified contain the phone number of the device. The number originates from India and uses the ‘Vodafone India’ network with roaming capability disabled. With all of this information in mind, we assume with high confidence that the malware author works out of India.”
Interestingly, the attackers planted a few false flags pointing to Russian involvement. These included a certificate issued in September 2017 that contained an email address located in Russia, and a mention of Hrvatska (“Croatia” in the Croatian language) with the same Russian email.
“We assume this is a false flag to point researchers toward the idea of a ‘classical Russian hacker,'” the researchers said. “False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.”
Despite the limited information regarding the “why” of the attack, the campaign stands out, researchers noted.
“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices,” Cisco Talos noted. “Once a user has lost physical access to their phone, it’s really a case of the attacker having a much easier playing field for malicious activity. The fact that the attacker was also able to get devices onto his own malicious MDM shows that the attacker was indeed motivated to obtain initial access but also to maintain persistence across the devices.”