Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2019
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Exodus' iOS Surveillance Software Masqueraded as Legit Apps

Italian firm appears to have developed spyware for lawful intercept purposes, Lookout says.

Researchers at mobile security firm Lookout have discovered iOS versions of a spyware tool that an Italian video surveillance company appears to have designed for so-called lawful intercept purposes by governments.

Non-profit white hat hacker collective Security Without Borders last month had reported discovering several Android versions of the same malware uploaded to Play Store, Google's official mobile app store.

Google removed those apps—which were disguised as service apps from Italian mobile operators—after the company was notified of the problem. Security Without Borders has estimated the total number of infections to be in the high hundreds to potentially one thousand or more.

The iOS version of Exodus, as the malware is called, can steal a range of data from infected systems. Examples include contact information, audio recordings, photos, videos, GPS location information and any other data that can be accessed via an infected device's iOS APIs, says Christoph Hebeisen, senior manager of security intelligence at Lookout. The malware is also capable of doing remote audio recording.

Even so, the iOS versions are not as sophisticated as the Android malware he says. "The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs," Hebeisen says. "In contrast, the Android version has full root access to the device." So it is capable of accessing and exfiltrating screen shots, text messages, browser histories, call logs, data from third-party messaging apps such as WhatsApp and Telegram and other data as well. Exodus for Android is also designed to keep running even when the screen is switched off.

Both Security Without Borders and Lookout believe the software is the work of eSurv, an Italian firm ostensibly focused on video surveillance software and image recognition systems. According to Security Without Borders, eSurv has been developing the spyware since at least 2016.

Several aspects of eSurv's operations suggest the company is well funded and has designed the software for use by law enforcement and other entities to conduct offensive surveillance on people, according to Lookout. Tell-tale signs include the use of certificate pinning and public key encryption for command-and-control purposes and the use of geo-restrictions to ensure the malware is used only in specific geographies.

This is the second instance in the past 18 months where an Italian software firm has been caught quietly distributing surveillance software.

In January 2018, security vendor Kaspersky Lab reported on another Italian firm using spoofed web pages to distribute "Skygofree," an extremely sophisticated Android spying tool. Kasperksy Lab described the malware as a data-stealer capable of supporting up to 48 different remote commands and controllable via SMS messages, HTTP, and FireBaseCloudMessaging Services. Like Exodus, Skygofree too had a feature that allowed the app to keep running even when other apps are suspended—or put into battery-saving mode.

The iOS version of Exodus is being distributed via phishing sites. To make that possible, the operators of the spyware appear to have abused Apple's Developer Enterprise Program, a provisioning mechanism that allows enterprises to distribute proprietary in-house iOS apps to employees without having to use Apple's mobile app store.

"Apple’s Enterprise Developer program is not involved in the download," Hebeisen notes. "eSurv was approved for the Apple Developer Enterprise program, which allowed them to sign the apps with a legitimate-looking enterprise certificate," he notes. Apple has since revoked the certificates that eSurv was using to digitally sign its software.

There is no indication that eSurv ever attempted to upload the signed iOS malware to Apple's app store. Instead they hosted the spyware on phishing sites that were designed to appear as mobile carrier sites. Hebeisen says Lookout is presently unsure what lures eSurv is using to direct victims to the phishing websites.

Exodus for iOS executes when a user downloads and launches the app. The malware sets up multiple timers for gathering and uploading specific data on a periodic basis. The data is then queued and transferred to the command-and-control server. The C2 infrastructure that eSurv is using for the iOS version of Exodus is the same as the one being used for the Android version.

Lookout says it does not know potentially how many iOS users might have downloaded Exodus on their systems. All of the telemetry that Lookout has gathered shows the attacks are focused purely on Italian IP addresses. So, the risk to US users is negligible, Hebeisen says.

It's unclear whether eSurv was collecting, or planning to collect mobile data, on any entity's behalf. But there are several companies vying for market share in what some say is a growing market for lawful intercept tools. A recent report from Allied Market Research estimated demand for such tools from governments and law enforcement agencies to top $3.3 billion by 2022. New rules and standards by governments seeking to fight technology-enabled crime are driving a lot of the demand, Allied Market Research said.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.