Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2019
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Exodus' iOS Surveillance Software Masqueraded as Legit Apps

Italian firm appears to have developed spyware for lawful intercept purposes, Lookout says.

Researchers at mobile security firm Lookout have discovered iOS versions of a spyware tool that an Italian video surveillance company appears to have designed for so-called lawful intercept purposes by governments.

Non-profit white hat hacker collective Security Without Borders last month had reported discovering several Android versions of the same malware uploaded to Play Store, Google's official mobile app store.

Google removed those apps—which were disguised as service apps from Italian mobile operators—after the company was notified of the problem. Security Without Borders has estimated the total number of infections to be in the high hundreds to potentially one thousand or more.

The iOS version of Exodus, as the malware is called, can steal a range of data from infected systems. Examples include contact information, audio recordings, photos, videos, GPS location information and any other data that can be accessed via an infected device's iOS APIs, says Christoph Hebeisen, senior manager of security intelligence at Lookout. The malware is also capable of doing remote audio recording.

Even so, the iOS versions are not as sophisticated as the Android malware he says. "The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs," Hebeisen says. "In contrast, the Android version has full root access to the device." So it is capable of accessing and exfiltrating screen shots, text messages, browser histories, call logs, data from third-party messaging apps such as WhatsApp and Telegram and other data as well. Exodus for Android is also designed to keep running even when the screen is switched off.

Both Security Without Borders and Lookout believe the software is the work of eSurv, an Italian firm ostensibly focused on video surveillance software and image recognition systems. According to Security Without Borders, eSurv has been developing the spyware since at least 2016.

Several aspects of eSurv's operations suggest the company is well funded and has designed the software for use by law enforcement and other entities to conduct offensive surveillance on people, according to Lookout. Tell-tale signs include the use of certificate pinning and public key encryption for command-and-control purposes and the use of geo-restrictions to ensure the malware is used only in specific geographies.

This is the second instance in the past 18 months where an Italian software firm has been caught quietly distributing surveillance software.

In January 2018, security vendor Kaspersky Lab reported on another Italian firm using spoofed web pages to distribute "Skygofree," an extremely sophisticated Android spying tool. Kasperksy Lab described the malware as a data-stealer capable of supporting up to 48 different remote commands and controllable via SMS messages, HTTP, and FireBaseCloudMessaging Services. Like Exodus, Skygofree too had a feature that allowed the app to keep running even when other apps are suspended—or put into battery-saving mode.

The iOS version of Exodus is being distributed via phishing sites. To make that possible, the operators of the spyware appear to have abused Apple's Developer Enterprise Program, a provisioning mechanism that allows enterprises to distribute proprietary in-house iOS apps to employees without having to use Apple's mobile app store.

"Apple’s Enterprise Developer program is not involved in the download," Hebeisen notes. "eSurv was approved for the Apple Developer Enterprise program, which allowed them to sign the apps with a legitimate-looking enterprise certificate," he notes. Apple has since revoked the certificates that eSurv was using to digitally sign its software.

There is no indication that eSurv ever attempted to upload the signed iOS malware to Apple's app store. Instead they hosted the spyware on phishing sites that were designed to appear as mobile carrier sites. Hebeisen says Lookout is presently unsure what lures eSurv is using to direct victims to the phishing websites.

Exodus for iOS executes when a user downloads and launches the app. The malware sets up multiple timers for gathering and uploading specific data on a periodic basis. The data is then queued and transferred to the command-and-control server. The C2 infrastructure that eSurv is using for the iOS version of Exodus is the same as the one being used for the Android version.

Lookout says it does not know potentially how many iOS users might have downloaded Exodus on their systems. All of the telemetry that Lookout has gathered shows the attacks are focused purely on Italian IP addresses. So, the risk to US users is negligible, Hebeisen says.

It's unclear whether eSurv was collecting, or planning to collect mobile data, on any entity's behalf. But there are several companies vying for market share in what some say is a growing market for lawful intercept tools. A recent report from Allied Market Research estimated demand for such tools from governments and law enforcement agencies to top $3.3 billion by 2022. New rules and standards by governments seeking to fight technology-enabled crime are driving a lot of the demand, Allied Market Research said.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...