Researchers had already found a spyware app called Exodus plaguing Android. Now it has shown up on iPhones.
PRIVATE COMPANIES AROUND the world have evolved a gray industry supplying digital surveillance and hacking tools to governments and local law enforcement. As the once little-known practice has grown, so too has the resulting malware. Researchers have now found that one of these spyware products, which had previously been found on the Google Play Store, also targeted iOS.
At the Kaspersky Security Analyst Summit in Singapore this week, researchers from the mobile security firm Lookout will present findings on the iOS version of the spyware known as Exodus. The nonprofit Security Without Borders published details of the Android version in conjunction with Motherboard at the end of March. The fact that Exodus has an iOS version, though, shows the impressive reach of the malware and the resources behind it.
And the stakes are high. The iOS version of Exodus, built to look like a mobile carrier support app, used all of the mechanisms iOS offers legitimate apps to grab as much of a target’s data as possible.
Hiding in Plain Sight
It is unclear whether Exodus targeted specific individuals or a broader group, but over the past year, the researchers observed attackers setting up phishing traps to direct users toward the malicious apps. The sites were designed to look like information pages for mobile carriers based in Italy and Turkmenistan—Wind Tre SpA and TMCell, respectively. From there, the pages led victims to the Google Play Store or an Apple workflow for downloading enterprise apps.
Attackers were able to slip the Android app directly into Google Play, but they either couldn’t get it into Apple’s App Store or didn’t try. Instead they used Apple’s Developer Enterprise Program—a platform that institutions can use to distribute their own apps in-house—to spread their spyware in a legitimate-looking way. Apple keeps its app ecosystem fairly locked down; the only way to install software on non-jailbroken iOS devices is to either sneak the app past Apple’s App Store review process or get a certificate for enterprise distribution. It’s relatively easy to buy one of these certificates from Apple and costs only $300. This approach has become increasingly common as a way for attackers to spread iOS malware, and it has also come up in controversies over how companies like Facebook and Google distribute consumer-testing and feedback apps.
Once installed, Exodus could access photos, videos, device IDs, audio recordings, and contacts on target devices, while also potentially tracking a victim’s location and listening to their conversations through the iPhone or iPad’s microphone. Both the Android and iOS versions of Exodus have now been blocked. Apple declined to comment.
“In terms of capabilities on the iOS side, they’re doing pretty much everything I’m aware of that you can do through documented Apple APIs, but they’re abusing them to do surveillance-type activities,” says Adam Bauer, a senior staff security intelligence engineer at Lookout. “Finding surveillance-ware on Android or even iOS is not necessarily uncommon. But finding an actor like this is actually relatively rare. The main differentiator with this actor is the level of professionalism that we’ve seen from them.”
The Lookout researchers say that developers seem to have been working on and releasing Android versions of Exodus for the past five years. On Android, the spyware works in three phases to gain deep access to victims’ devices, first establishing a foothold, then installing a larger payload that sets up the surveillance capabilities, and then exploiting a vulnerability to gain root device access. The Android malware led the researchers to the phishing sites used to direct victims to the apps, which in turn led to the iOS app.
The iOS version, which seems to have emerged more recently, does not rely on exploits to establish pervasive device access, instead counting on users to unintentionally give permission for the app to run its surveillance tools. Lookout’s Bauer points out that users could have potentially neutered the iOS app’s surveillance by turning off some of its access, but anyone who had already been tricked into thinking the app was legitimate might not question it.
The researchers say that Exodus’ development and distribution mechanisms show a high level of professionalism and care. For example, the command and control infrastructure was closely monitored and guarded—a precaution many malware makers forget. In analyzing this framework, the researchers say they found indications that Exodus may have been developed by the Italian video surveillance software company eSurv and a company it acquired in 2016 known as Connexxa. eSurv’s website is no longer live, and the company could not be reached for comment.
“There’s always a lot of talk about malware on Android in particular, but this was actually a case where both of the mobile platforms are affected,” says Christoph Hebeisen, senior manager of security intelligence at Lookout. “And in both cases, because of the enterprise deployment of iOS and because of the Play Store on Android, it was a reasonably legitimate-looking distribution mechanism. So protecting your mobile devices against these things is really crucial.”
Mobile users can take precautions to try to avoid spyware by staying vigilant about avoiding phishing links and sticking to mainstream apps downloaded directly from Google Play or Apple’s App Store. But Exodus’s presence on both platforms shows just how difficult it is in practice to skirt insidious, well-crafted spyware. And unfortunately, there’s more and more of it out there all the time.