Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

Most of the malware targeting phones is the product of, at most, a handful of disaffected people looking to make a quick buck. That’s not the case with a new strain of malware found on both Android and iOS devices. Security researchers believe this malware is based on so-called “lawful intercept” software in use by law enforcement and governments.

The privacy organization Security Without Borders detected the Android malware first, which it dubbed Exodus. The installer package was bundled inside APKs on numerous phishing sites, as well as in several apps that snuck into the Play Store. Users needed to install the app manually in either case, but it was much harder to do so with the phishing sites because of Android’s security features. You don’t pick up Exodus just browsing the web, but that doesn’t appear to be the creator’s goal.

Exodus is a sophisticated piece of malware. The infected app includes a dropper that collects basic details about the phone like the IMEI and phone number. It sends those to a command and control server, which almost immediately pushes down the next phase of the malware. This phase consists of multiple binary packages aimed at tracking the device. The third stage uses Linux exploit called DirtyCOW to attempt root access, which would allow it to collect any and all data on the phone.

With a rooted phone, Exodus could extract passwords, chat logs, contacts, and create local audio and video recordings. Luckily, Google patched DirtyCOW in 2016, so any recently updated phone is immune. Without the third phase, Exodus is limited to only gathering data available to other apps.

Sophisticated Surveillance Malware Spotted on Android and iOS Phones

The iOS variant was harder to find because the distribution was somewhat sneakier, but antimalware form Lookout detected it. The attackers set up websites that appeared to belong to Italian and Turkmenistani mobile carriers. They used Apple’s Developer Enterprise program, which allows companies to install custom apps on employee devices. The apps pretended to be mobile carrier assistance apps, but they could exfiltrate data like contacts, photos, GPS locations, and more.

Currently, the number of infected devices is believed to be quite small — in the hundreds or possibly thousands. This is a targeted attack, suggesting an intelligence motive rather than general mayhem. It is unlikely your phone is affected unless you’ve been cruising suspicious Italian websites.

Continue reading

Tesla Semi Spotted on California Street
Tesla Semi Spotted on California Street

After showing off its design for an electric semi truck, the company has been working on an aggressive release schedule. However, the vehicle hasn't been spotted in real life until now.

Intel’s First 10nm CPUs Have Been Spotted in the Wild
Intel’s First 10nm CPUs Have Been Spotted in the Wild

Intel's new 10nm chip has tipped up, but not in the high-profile debut one might expect.

Planet-hunting TESS Spacecraft Has Already Spotted 2 Exoplanets
Planet-hunting TESS Spacecraft Has Already Spotted 2 Exoplanets

The Transiting Exoplanet Survey Satellite (TESS) only started operating over the summer, but NASA reports it has already spotted two potential exoplanets.

Opportunity Rover Spotted From Mars Orbit
Opportunity Rover Spotted From Mars Orbit

Knowing where the rover ended up is a nice development, but it doesn't get us any closer to reviving Opportunity.