Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Most of the malware targeting phones is the product of, at most, a handful of disaffected people looking to make a quick buck. That’s not the case with a new strain of malware found on both Android and iOS devices. Security researchers believe this malware is based on so-called “lawful intercept” software in use by law enforcement and governments.

The privacy organization Security Without Borders detected the Android malware first, which it dubbed Exodus. The installer package was bundled inside APKs on numerous phishing sites, as well as in several apps that snuck into the Play Store. Users needed to install the app manually in either case, but it was much harder to do so with the phishing sites because of Android’s security features. You don’t pick up Exodus just browsing the web, but that doesn’t appear to be the creator’s goal.

Exodus is a sophisticated piece of malware. The infected app includes a dropper that collects basic details about the phone like the IMEI and phone number. It sends those to a command and control server, which almost immediately pushes down the next phase of the malware. This phase consists of multiple binary packages aimed at tracking the device. The third stage uses Linux exploit called DirtyCOW to attempt root access, which would allow it to collect any and all data on the phone.

With a rooted phone, Exodus could extract passwords, chat logs, contacts, and create local audio and video recordings. Luckily, Google patched DirtyCOW in 2016, so any recently updated phone is immune. Without the third phase, Exodus is limited to only gathering data available to other apps.

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

The iOS variant was harder to find because the distribution was somewhat sneakier, but antimalware form Lookout detected it. The attackers set up websites that appeared to belong to Italian and Turkmenistani mobile carriers. They used Apple’s Developer Enterprise program, which allows companies to install custom apps on employee devices. The apps pretended to be mobile carrier assistance apps, but they could exfiltrate data like contacts, photos, GPS locations, and more.

Currently, the number of infected devices is believed to be quite small — in the hundreds or possibly thousands. This is a targeted attack, suggesting an intelligence motive rather than general mayhem. It is unlikely your phone is affected unless you’ve been cruising suspicious Italian websites.

Continue reading

Third-Party Repair Shops May Be Blocked From Servicing iPhone 12 Camera
Third-Party Repair Shops May Be Blocked From Servicing iPhone 12 Camera

According to a recent iFixit report, Apple's hostility to the right of repair has hit new heights with the iPhone 12 and iPhone 12 Pro.

Oppo Shows Off Concept Phone With Stretchable OLED Screen
Oppo Shows Off Concept Phone With Stretchable OLED Screen

Oppo has revealed a concept phone with a "continuously variable OLED display" that changes size in your hand to move between tablet and phone-like form factors.

Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps
Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps

Both Nvidia and Google have announced iOS support for their respective cloud gaming platforms via progressive web applications. Apple can't block that.

Qualcomm’s New Snapdragon 888 Will Power Flagship Android Phones in 2021
Qualcomm’s New Snapdragon 888 Will Power Flagship Android Phones in 2021

The 888 comes with a new CPU design, integrated 5G, and a massive GPU boost. It's shaping up to be the most significant update to Qualcomm's flagship system-on-a-chip (SoC) in years.