Mysterious malware has infected only 13 iPhones in India in what appears a highly targeted operation.
The attack has been carried out using something called an MDM, a mobile device management server that’s normally used in enterprise environments for side-loading custom apps to employees, apps that aren’t or can’t be made available through the official iOS App Store due to their sensitive nature.
According to Cisco Talos researchers, who came across this rogue MDM server, the attacker has slowly added 13 iPhones to his closed environment and used the MDM server to replace popular apps with versions that included data harvesting malware.
Attacks carried out using physical access or social engineering
Adding an iPhone to an MDM server requires the installation of a rogue certificate to the iOS trusted certificate store, which is a complex and multi-step process.
Researchers haven’t been able to determine how users were added to the rogue MDM server, but they believe the attacker either had physical access to someone’s device, or they social engineered victims into believing they needed to install the rogue certificate in order to view a website or install an app they desired.
Once the attacker had victims entrapped into his rogue closed network, he silently uninstalled legitimate apps and deployed new ones infected with malware.
Poisoned apps used for data collection
Experts say that based on the MDM server’s log, the attacker deployed four apps since 2015 when he first set up the server and started adding victims.
The four apps he deployed are WhatsApp, Telegram, PrayTime, and MyApp. The malicious code inserted into these apps did not interfere with their native functionality, and the apps continued to work as intended.
The malicious code in the WhatsApp and Telegram apps could collect and exfiltrate data from a victim such as the phone’s number, serial number, location, contacts, photos, SMS, and WhatsApp and Telegram messages.
The PrayTime app could collect only SMS messages, and included a weird feature of showing ads on infected devices. It is unclear why this feature was included because injecting ads on a victim’s phone would alert the target about the possibility of having had the phone infected with malware and would have put the entire operation in danger.
The fourth app, MyApp, appears to have been used only for testing.
Attacker located in India but tried to pose as Russian
“This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception,” researchers said.
“Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat,” experts added.
Based on the data researchers found in the rogue certificates, associated web domains, and the MDM server logs, Cisco experts say the attacker is most likely located in India but attempted to pose as a Russian by the use of Russian names and email domains.
Furthermore, besides the 13 iPhones belonging to victims, the attacker appears to have added two personal devices named “test’ and “mdmdev” to the MDM server during its initial deployment.
“These two devices share the same phone number,” Cisco Talos experts said in a report published yesterday. “The phone number originates from India and is registered on the ‘Vodafone India’ network provider.”
Cisco did not reveal any data about the 13 victims, except that they were all located in India, the same country as the attacker.
Indicators of compromise (IOCs) and other forensic data regarding this highly targeted attack are available in the Cisco Talos research.