Cybersecurity researchers have uncovered an iOS version of a potent mobile phone surveillance app that initially targeted Android devices via apps in the official Google Play Store.
The iOS version of the spyware, dubbed Exodus, was discovered by security researchers at LookOut during their analysis of its Android samples discovered the previous year.
In contrast to its Android counterpart, the iOS version of Exodus has been distributed outside of the official App Store, primarily via phishing websites that impersonate Italian and Turkmen mobile carriers.
Since Apple prohibits the direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute in-house apps directly to their employees without using the iOS App Store.
Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application’s name, version, icon, and the URL for the IPA file, according to a blog post by the researchers.
All of these packages utilized provisioning profiles with distribution certificates belonging to Connexxa S.R.L.
Even though the iOS variant is less sophisticated than its Android counterpart, the spyware is still capable of exfiltrating information from compromised iPhones, including contacts, audio recordings, photos, videos, GPS location, and device information.
The data is then transmitted via HTTP PUT requests to an endpoint on an attacker-controlled command and control server, which utilizes the same CnC infrastructure as the Android version and the same communication protocols.
Several technical details suggested that Exodus was the “likely result of a well-funded development effort” and was designed to target the government or law enforcement sectors.
These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and a comprehensive and well-implemented suite of surveillance features, according to the researchers.
Exodus was created by an Italian company known as Connexxa S.R.L. It came to light at the end of last month when white hat hackers from Security Without Borders discovered nearly 25 apps masquerading as service applications on Google Play Store, which the tech giant promptly removed after being notified.
Exodus for Android, which has been in development for at least five years, typically consists of three distinct phases. Initially, a small dropper collects basic identifying information, such as the IMEI and phone number, from the targeted device.
Multiple binary packages that deploy a well-implemented suite of surveillance capabilities constitute the second stage.
The final stage uses the infamous DirtyCOW exploit (CVE-2016-5195) to gain root access to infected mobile devices. Once successfully installed, Exodus is capable of conducting extensive surveillance.
The Android variant is also designed to continue running on infected devices with the screen off.
While the Android version of Exodus had potentially infected “several hundred, if not a thousand or more” devices, the number of iPhones infected by the iOS variant is unknown.
Apple revoked the enterprise certificate after being notified of the spyware by the Lookout researchers, preventing malicious apps from being installed on new iPhones and executed on infected devices.
This is the second time an Italian software company has been caught distributing spyware in the past year. A previously undisclosed Italian company was discovered distributing “Skygofree,” a dangerous Android spying tool that grants remote control of infected devices to hackers.
