Espionage Plan Targets Apple’s iOS

Thursday, February 5, 2015 @ 04:02 PM gHale

A highly tuned iOS app can surreptitiously steal information from iPhone or iPad text messages, contact lists, pictures, geo-location information, WiFi status of the device, lists of installed apps and processes, and record voice conversations, researchers said.

It only makes sense for bad guys to start attacking the Apple devices as more workers are using the technology in the everyday work environment.

Feds Drop Eli Lilly Espionage Case
Details Emerge on Espionage Campaign
Guilty Plea in ATM Skimming Plan
Accused Hacker Faces U.S. Extradition

Trend Micro researchers, who found the iOS malware while studying and tracking Operation Pawn, said they believe the Apple spyware ends up installed on systems already compromised by the attackers. It’s similar to the “next-stage” SEDINT malware they found targeting Microsoft Windows systems.

“We found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT,” said Trend mobile threat analysts Lambert Sun and Brooks Hong and senior threat researcher Feike Hacquebord, in a blog post.

“The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is live,” they said.

When XAgent runs on iOS 7, its icon doesn’t show up on the mobile device. It’s hard to kill, too: When the researchers attempted to terminate the app’s process, it restarted right away. When running on iOS 8, however, the icon is visible and doesn’t automatically restart after it ends up killed. Researchers said this shows the malware came out before iOS 8’s release in September of last year.

“We can see that the code structure of the malware is very organized. The malware looks carefully maintained and consistently updated,” the researchers said in a blog post.

Operation Pawn Storm cyberattacks intensified in the wake of U.S.-Russian tensions, and the organizations and regions targeted appear to point to Russia or Russian interests. The attackers are going after the U.S., NATO allies, and Russian dissidents. Among the targets of some phishing attacks used in the campaign are ACADEMI (the U.S. defense contractor formerly known as Blackwater), SAIC, and the Organization for Security and Cooperation in Europe.

Trend Micro stopped short of attributing the attacks to Russia. However, researchers at FireEye said the Russian government was behind the Operation Pawn Storm campaign.

Just how victims’ Apple iOS devices suffer infection with the spyware remains unknown.

Leave a Reply

You must be logged in to post a comment.