Security researchers at Lookout have discovered a spyware distribution campaign that involves developers abusing Apple's Developer Enterprise programme to circumvent the Apple App Store and promote sophisticated surveillance software to iOS users via phishing websites.
Even though the iOS variant is not as sophisticated as the Android version, and contained a subset of the functionality the Android versions offered, it can still exfiltrate contacts, audio recordings, photos, videos, GPS location, and device information from iOS devices using documented APIs.
The presence of the surveillanceware, popularly called spyware, was first detected on the Google Play Store by researchers at Lookout last year. The malware was developed by eSurv, an Italian video surveillance company and was created for the lawful intercept market.
The fact that the surveillanceware featured a comprehensive and well-implemented suite of surveillance features, used certificate pinning and public key encryption for C2 communications, and featured geo-restrictions during the second stage signified that it was the product of a well-funded development effort.
Even though several versions of the spyware were removed from the Google Play Store in the second half of 2018, the researchers recently discovered the presence of an iOS version of the surveillanceware that was being distributed through a number of phishing websites that spoofed genuine domains owned by Italian and Turkmenistani mobile carriers.
By pretending to be carrier assistance apps, these surveillance apps for iOS asked users to "keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators". The phishing sites used to distribute these apps also contained links to a distribution manifest which contained metadata such as the application name, version, icon, and a URL for the IPA file.
According to the researchers, even though the iOS version was not as sophisticated as the Android versions and contained a subset of the functionality the Android versions offered, it could still exfiltrate contacts, audio recordings, photos, videos, GPS location, and device information from iOS devices using documented APIs.
"Though different versions of the app vary in structure, malicious code was initialised at application launch without the user’s knowledge, and a number of timers were setup to gather and upload data periodically.
"Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2. The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols. Push notifications were also used to control audio recording," Lookout said in a blog post.
Developers at eSurv could distribute the iOS versions of the spyware by abusing Apple's Developer Enterprise programme that allows organisations to distribute proprietary, in-house apps to their employees without needing to use the iOS App Store.
This was despite Apple announcing in February that it will soon introduce two-factor authentication in all developer accounts to ensure that enterprise developer certificates issued by it will only be used by genuine developers for declared purposes.
Considering that Apple has now revoked certificates that were misused by eSurv developers to distribute iOS versions of the surveillanceware upon being notified by Lookout researchers, existing installations of the malware are no longer in operation and no new spyware apps for iOS can be developed by the firm.
"While we tend to think about the risks of falling victim to phishing campaigns as broadly associated with direct data exfiltration, this research hammers home the wide range of activities phishing can be a gateway to," Corin Imai, senior security advisor at DomainTools, told SC Magazine UK.
"The spyware associated with this particular phishing campaign could be used not only to steal sensitive personal or financial data, but could also be used as a springboard for social engineering attacks or extortion.
"Mobile devices are a gateway into a person’s entire existence in many cases, and considering today’s ‘always on’ working culture, also provide a potential gateway into the victim’s professional network. The best practices for avoiding these kind of scenarios still start with exercising extreme caution when opening unsolicited emails, and double checking any URLS you visit to ensure they are legitimate," she added.
According to Martin Jartelius, CSO at Outpost24, considering that iOS users can download any apps they want from the App Store which is amongst the best things ever to happen to device security, iOS device users should always avoid installing applications from outside the official app store.
Recently, after a Reuters report highlighted how Apple-issued enterprise certificates were being misused by certain rogue developers to build hacked versions of popular and legitimate iOS apps such as Minecraft, Spotify, Angry Birds, and Pokemon, Apple announced that it will terminate enterprise certificates as soon as it finds out that they are being misused.
"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action," said a spokesperson from Apple.