'Exodus' Spyware Found Targeting Apple iOS Users

The surveillance tool dubbed "Exodus" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report: Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. The good news is that Apple has revoked the affected certificates for this particular crop of apps.

Re:

[BladeMelbourne]

Speaking about exploited, dirty cows... /I didn't copy this on write

It can only exfiltrate what you agree to send

[SuperKendall]

Of note is this last part:

Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data

Since it only uses documented API's, that means separate prompts each to access location, photos/video, and contacts. I'm not even sure how it would get to user-rec

if i say "walled garden, my ass"

[gTsiros]

will it be too predictable?

Re:

[Anonymous Coward]

Always. And this appears to be DOA before anything happened to iOS users.

Android users on the other hand get fucked daily in the ass by poor security.

Re:

[Anonymous Coward]

So you have to sideload this app by either first rooting your iphone, or by applying for a developer account and using that hack.
Unlike android this app can not access any other apps data like my keepass file, only api approved data like photos contacts etc.

You call it a walled garden, I call it proper security.

Sure IOS does not support MAME, but I would rather have a secure platform for online trading and banking than another device to run TacScan.

Re:

[gnasher719]

No, you don't have to root the iphone or apply for a developer account. It works differently. Someone used the credentials from an Enterprise Account. To install the app, all you have to do is to install a profile created with your Enterprise Account.

Of course if you are asked to install some company's profile, you should be very suspicious. Unless you are an employee of this company, which is the only case where it would be legitimate. And even then you should be very suspicious.

Re:

[tlhIngan]

So you have to sideload this app by either first rooting your iphone, or by applying for a developer account and using that hack.
Unlike android this app can not access any other apps data like my keepass file, only api approved data like photos contacts etc.

You call it a walled garden, I call it proper security.

Sure IOS does not support MAME, but I would rather have a secure platform for online trading and banking than another device to run TacScan.

You can have MAME on iOS, lots of people do it. You don't n

Re:

[Jeremi]

will it be too predictable?

Dunno how your ass got involved, but this article seems to validate the effectiveness of the walled garden as a security mechanism, in that people who stayed within the walled garden (by only downloading their iOS apps from the App Store and not from third-party websites) were never vulnerable to being exploited by this app.

Re:

[DontBeAMoran]

So according to you, this explains their "rounded corners" fetish?

Huh?

[Dan East]

Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device

What does that have to do with iOS? That's a Linux kernel vulnerability. The summary is totally mashing up the iOS and Android aspects into one glob.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Anonymous Coward]

Apple ported the exploit to Darwin/XNU within days of CVE20165195 being announced, as they didn't want to fall behind Linux. Most features of Linux end up in XNU.

Re:Huh?

[LostMyAccount]

Most security companies desperately want to sound relevant when it comes to iOS, and they know that low-rent tech "journalists" are more than happy to play fast and loose with vulnerabilities that are a mile wide on Android but easy to avoid on iOS.

You can install Exchange server in less clicks of OK and Next than it would take for this "exploit" to work on iOS.

Apple does need to figure out its enterprise certificate system, though. It should be a 2 or 3 step process to install enterprise apps on a phone not already managed by that same organization.

"iOS spyware found targetting apple iOS users"

[themusicgod1]

The surveillance tool dubbed "iOS" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report:

According to Lookout Security, it turns out that iOS versions had become in the "App Store", a phishing site that imitates legitimate software repositories. These are notable in that they used the "Apple Developer Enterprise" program. According to Lookout and other re