Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2019
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Exodus' iOS Surveillance Software Masqueraded as Legit Apps

Italian firm appears to have developed spyware for lawful intercept purposes, Lookout says.

Researchers at mobile security firm Lookout have discovered iOS versions of a spyware tool that an Italian video surveillance company appears to have designed for so-called lawful intercept purposes by governments.

Non-profit white hat hacker collective Security Without Borders last month had reported discovering several Android versions of the same malware uploaded to Play Store, Google's official mobile app store.

Google removed those apps—which were disguised as service apps from Italian mobile operators—after the company was notified of the problem. Security Without Borders has estimated the total number of infections to be in the high hundreds to potentially one thousand or more.

The iOS version of Exodus, as the malware is called, can steal a range of data from infected systems. Examples include contact information, audio recordings, photos, videos, GPS location information and any other data that can be accessed via an infected device's iOS APIs, says Christoph Hebeisen, senior manager of security intelligence at Lookout. The malware is also capable of doing remote audio recording.

Even so, the iOS versions are not as sophisticated as the Android malware he says. "The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs," Hebeisen says. "In contrast, the Android version has full root access to the device." So it is capable of accessing and exfiltrating screen shots, text messages, browser histories, call logs, data from third-party messaging apps such as WhatsApp and Telegram and other data as well. Exodus for Android is also designed to keep running even when the screen is switched off.

Both Security Without Borders and Lookout believe the software is the work of eSurv, an Italian firm ostensibly focused on video surveillance software and image recognition systems. According to Security Without Borders, eSurv has been developing the spyware since at least 2016.

Several aspects of eSurv's operations suggest the company is well funded and has designed the software for use by law enforcement and other entities to conduct offensive surveillance on people, according to Lookout. Tell-tale signs include the use of certificate pinning and public key encryption for command-and-control purposes and the use of geo-restrictions to ensure the malware is used only in specific geographies.

This is the second instance in the past 18 months where an Italian software firm has been caught quietly distributing surveillance software.

In January 2018, security vendor Kaspersky Lab reported on another Italian firm using spoofed web pages to distribute "Skygofree," an extremely sophisticated Android spying tool. Kasperksy Lab described the malware as a data-stealer capable of supporting up to 48 different remote commands and controllable via SMS messages, HTTP, and FireBaseCloudMessaging Services. Like Exodus, Skygofree too had a feature that allowed the app to keep running even when other apps are suspended—or put into battery-saving mode.

The iOS version of Exodus is being distributed via phishing sites. To make that possible, the operators of the spyware appear to have abused Apple's Developer Enterprise Program, a provisioning mechanism that allows enterprises to distribute proprietary in-house iOS apps to employees without having to use Apple's mobile app store.

"Apple’s Enterprise Developer program is not involved in the download," Hebeisen notes. "eSurv was approved for the Apple Developer Enterprise program, which allowed them to sign the apps with a legitimate-looking enterprise certificate," he notes. Apple has since revoked the certificates that eSurv was using to digitally sign its software.

There is no indication that eSurv ever attempted to upload the signed iOS malware to Apple's app store. Instead they hosted the spyware on phishing sites that were designed to appear as mobile carrier sites. Hebeisen says Lookout is presently unsure what lures eSurv is using to direct victims to the phishing websites.

Exodus for iOS executes when a user downloads and launches the app. The malware sets up multiple timers for gathering and uploading specific data on a periodic basis. The data is then queued and transferred to the command-and-control server. The C2 infrastructure that eSurv is using for the iOS version of Exodus is the same as the one being used for the Android version.

Lookout says it does not know potentially how many iOS users might have downloaded Exodus on their systems. All of the telemetry that Lookout has gathered shows the attacks are focused purely on Italian IP addresses. So, the risk to US users is negligible, Hebeisen says.

It's unclear whether eSurv was collecting, or planning to collect mobile data, on any entity's behalf. But there are several companies vying for market share in what some say is a growing market for lawful intercept tools. A recent report from Allied Market Research estimated demand for such tools from governments and law enforcement agencies to top $3.3 billion by 2022. New rules and standards by governments seeking to fight technology-enabled crime are driving a lot of the demand, Allied Market Research said.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.