Security researchers at Cisco Talos have recently uncovered a “highly targeted” mobile malware campaign that has been operating since August 2015. The attackers are believed to be operating out of India and are using an open source mobile device management also known as MDM solution, in order to control and deploy malicious application remotely.
MDM protocol is a type of security software which is usually applied by enterprises to control and enforce policies on those devices which are used by the company’s employees. To register an iPhone into the MDM, the user needs to manually install the enterprise's development certificate.The enterprise development certificate is obtained through the Apple Developer Enterprise Program.
Hackers are found spying on 13 particular iPhones.
The MDM configuration file is delivered through email or a webpage by applying Apple Configuration. Once the enrollment is completed and the user has installed the MDM file, it enables the administrators to control the device remotely. The controls include installing or removing applications, installing or revoking certificates, locking the device, changing passwords and more.
According to Apple, “MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.”
It is still not clear how hackers managed to register 13 selected devices into their MDM service because the enrollment process requires users to manually install a certificate authority on the device. Security researchers at Cisco Talos note that the cybercriminals might have used a social engineering mechanism or gained physical access to the selected iPhones.
The cybercriminals applied the MDM service to take control of the device and install modified versions of legitimate applications, which are able to spy on victims and steal their personal information, such as messages, contacts and photos.
The Boptions sideloading technique was used to inject spyware functions into messaging applications such as WhatsApp. The technique enabled hackers to add a dynamic library into popular and secure messaging apps.
“The injection library can ask for additional permissions, execute code and steal information from the original application, among other things.”
The malicious actor added to the messaging apps were sending the contacts, images and location from the infected device to a remote server location.
“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it's time to pray,” researchers said. The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”
It is worth to mention that Apple had already withdrawn three certificates that were linked to the campaign. Researchers at Talos also informed the company about the incident, as a result, two more certificates were revoked as well.