Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Most of the malware targeting phones is the product of, at most, a handful of disaffected people looking to make a quick buck. That’s not the case with a new strain of malware found on both Android and iOS devices. Security researchers believe this malware is based on so-called “lawful intercept” software in use by law enforcement and governments.

The privacy organization Security Without Borders detected the Android malware first, which it dubbed Exodus. The installer package was bundled inside APKs on numerous phishing sites, as well as in several apps that snuck into the Play Store. Users needed to install the app manually in either case, but it was much harder to do so with the phishing sites because of Android’s security features. You don’t pick up Exodus just browsing the web, but that doesn’t appear to be the creator’s goal.

Exodus is a sophisticated piece of malware. The infected app includes a dropper that collects basic details about the phone like the IMEI and phone number. It sends those to a command and control server, which almost immediately pushes down the next phase of the malware. This phase consists of multiple binary packages aimed at tracking the device. The third stage uses Linux exploit called DirtyCOW to attempt root access, which would allow it to collect any and all data on the phone.

With a rooted phone, Exodus could extract passwords, chat logs, contacts, and create local audio and video recordings. Luckily, Google patched DirtyCOW in 2016, so any recently updated phone is immune. Without the third phase, Exodus is limited to only gathering data available to other apps.

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

The iOS variant was harder to find because the distribution was somewhat sneakier, but antimalware form Lookout detected it. The attackers set up websites that appeared to belong to Italian and Turkmenistani mobile carriers. They used Apple’s Developer Enterprise program, which allows companies to install custom apps on employee devices. The apps pretended to be mobile carrier assistance apps, but they could exfiltrate data like contacts, photos, GPS locations, and more.

Currently, the number of infected devices is believed to be quite small — in the hundreds or possibly thousands. This is a targeted attack, suggesting an intelligence motive rather than general mayhem. It is unlikely your phone is affected unless you’ve been cruising suspicious Italian websites.

Continue reading

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.