Stefan Mileschin

Following Android again

When the surveillance tool dubbed "Exodus" started appearing on Android, the Tame Apple Press made a big thing about how its favourite operating was safe.

The spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices" so it is pretty nasty. Google booted a raft of Exodus-laden apps last month.

Now it turns out that iOS versions are available, admittedly outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers.

To make matters worse for Apple the designers of the software abused the Apple Developer Enterprise programme.

According to Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details

Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

The cybercriminals used Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. The iOS version of the software is not as well written as the Android version. It lacks the ability to exploit device vulnerabilities.

But it could still use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction.

Apple has revoked the affected certificates for these apps.

https://fudzilla.com/news/mobile/484...exodus-spyware