Researchers at mobile security firm Lookout have discovered iOS versions of a spyware tool that an Italian video surveillance company appears to have designed for so-called lawful intercept purposes by governments.
Non-profit white hat hacker collective Security Without Borders last month had reported discovering several Android versions of the same malware uploaded to Play Store, Google’s official mobile app store.
Google removed those apps—which were disguised as service apps from Italian mobile operators—after the company was notified of the problem. Security Without Borders has estimated the total number of infections to be in the high hundreds to potentially one thousand or more.
The iOS version of Exodus, as the malware is called, can steal a range of data from infected systems. Examples include contact information, audio recordings, photos, videos, GPS location information and any other data that can be accessed via an infected device’s iOS APIs, says Christoph Hebeisen, senior manager of security intelligence at Lookout. The malware is also capable of doing remote audio recording.
Even so, the iOS versions are not as sophisticated as the Android malware he says. “The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs,” Hebeisen says. “In contrast, the Android version has full root access to the device.” So it is capable of accessing and exfiltrating screen shots, text messages, browser histories, call logs, data from third-party messaging apps such as WhatsApp and Telegram and other data as well. Exodus for Android is also designed to keep running even when the screen is switched off.
Both Security Without Borders and Lookout believe the software is the work of eSurv, an Italian firm ostensibly focused on video surveillance software and image recognition systems. According to Security Without Borders, eSurv has been developing the spyware since at least 2016.
Several aspects of eSurv’s operations suggest the company is well funded and has designed the software for use by law enforcement and other entities to conduct offensive surveillance on people, according to Lookout. Tell-tale signs include the use of certificate pinning and public key encryption for command-and-control purposes and the use of geo-restrictions to ensure the malware is used only in specific geographies.
This is the second instance in the past 18 months where an Italian software firm has been caught quietly distributing surveillance software.
In January 2018, security vendor Kaspersky Lab reported on another Italian firm using spoofed web pages to distribute “Skygofree,” an extremely sophisticated Android spying tool. Kasperksy Lab described the malware as a data-stealer capable of supporting up to 48 different remote commands and controllable via SMS messages, HTTP, and FireBaseCloudMessaging Services. Like Exodus, Skygofree too had a feature that allowed the app to keep running even when other apps are suspended—or put into battery-saving mode.
The iOS version of Exodus is being distributed via phishing sites. To make that possible, the operators of the spyware appear to have abused Apple’s Developer Enterprise Program, a provisioning mechanism that allows enterprises to distribute proprietary in-house iOS apps to employees without having to use Apple’s mobile app store.
“Apple’s Enterprise Developer program is not involved in the download,” Hebeisen notes. “eSurv was approved for the Apple Developer Enterprise program, which allowed them to sign the apps with a legitimate-looking enterprise certificate,” he notes. Apple has since revoked the certificates that eSurv was using to digitally sign its software.
There is no indication that eSurv ever attempted to upload the signed iOS malware to Apple’s app store. Instead they hosted the spyware on phishing sites that were designed to appear as mobile carrier sites. Hebeisen says Lookout is presently unsure what lures eSurv is using to direct victims to the phishing websites.
Exodus for iOS executes when a user downloads and launches the app. The malware sets up multiple timers for gathering and uploading specific data on a periodic basis. The data is then queued and transferred to the command-and-control server. The C2 infrastructure that eSurv is using for the iOS version of Exodus is the same as the one being used for the Android version.
Lookout says it does not know potentially how many iOS users might have downloaded Exodus on their systems. All of the telemetry that Lookout has gathered shows the attacks are focused purely on Italian IP addresses. So, the risk to US users is negligible, Hebeisen says.
It’s unclear whether eSurv was collecting, or planning to collect mobile data, on any entity’s behalf. But there are several companies vying for market share in what some say is a growing market for lawful intercept tools. A recent report from Allied Market Research estimated demand for such tools from governments and law enforcement agencies to top $3.3 billion by 2022. New rules and standards by governments seeking to fight technology-enabled crime are driving a lot of the demand, Allied Market Research said.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio