Most recently news got viral on media that cybersecurity investigators have found an iOS form of the influential mobile phone scrutiny app that was directly hitting Android devices holders through apps on the official Google Play Store. Obviously, this is not good news for Apple iOS users.
Dubbed Exodus, as the malware is recognized, the iOS type of the spyware was found by cybersecurity expert at LookOut during their investigation of its Android sections they had discovered in 2018.
Different from all Android variant, the iOS version of Exodus has been spread outside of the official App Store, basically through phishing websites that replicate Italian and Turkmenistani mobile shippers.
As we know since Apple restricts straight installation of apps that are external of its official app store, the iOS version of Exodus is disturbing the Apple Developer Enterprise program, which permits businesses to announce and distribute their own in-house apps straight to their workers without wanting to go into the iOS App Store.
The security specialist shared their views in a blog post. They said that each of the phishing websites included links to a circulation manifest, which controlled metadata such as the application name, version, icon, and a URL for the IPA file and other information.
Furthermore, they also said that all such bundles used provisioning profiles with distribution certificates related to the organization Connexxa S.R.L.
However the iOS variant is insufficiently sophisticated than its Android counterpart, the spyware can still be powerful to destroy sensitive from targeted iPhone devices including, contact numbers, audio recordings, photos, videos, GPS location, and other device information.
The data which was stolen, later transmitted via HTTP PUT that needs to an endpoint on the attacker’s organized control and hacked server, which is the same CnC structure as the Android version and uses the same level of communications protocols.
Numerous methodological facts indicated that Exodus was “likely the virus of a well-funded advance effort” and aimed to hit the government or law-enforcement agencies.
The security specialists also stated that these included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions enacted by the C2 when providing the second stage, and the complete and well-implemented suite of observation features.
Established by Italy-based organization called Connexxa S.R.L., Exodus brought to light late last month when white hat hackers from Security without Borders found closely 25 diverse applications hidden as service applications on Google Play Store, which the tech giant removed after being informed.
Under improvement for at least 5 years, Exodus for Android typically comprises of three different sections. First, there is a tiny dropper that gathered basic recognizing information, like the IMEI and phone number, about the targeted phone.
The 2nd section contains multiple binary bundles that deploy a well-applied suite of surveillance features.
Lastly, the 3rd section uses the infamous DirtyCOW activity (CVE-2016-5195) to gain root control over the infected devices. Once successfully integrated or installed, Exodus can bring an extensive amount of surveillance.
The Android variant is also made to keep running on the incapable phones even when the screen is powered off.
While the Android version of Exodus had possibly infected “numerous hundreds if not a thousand or more” phones, it’s not clearly defined how many iPhones devices were badly impacted by the iOS Exodus variant.
After being informed of the spyware by the Lookout specialists, Apple canceled the enterprise certificate, stopping malicious applications from being installed on new iPhones devices and operate on infected devices.
This is the 2nd example in the past year when an Italian software organization has been trapped in distributing spyware. Earlier last year, another secret Italian firm was discovered distributing “Skygofree,” an unsafe Android spying program that delivers hackers complete control of infected devices remotely.