While the campaign, which was first reported by cybersecurity intelligence group Cisco Talos, appears to be extremely focused in scale, it reveals a new potential avenue of attack that could target iPhone owners.
The attackers were able to install a rogue, open-source mobile device management software (MDM) onto the impacted iPhones. MDMs are software suites (often used by businesses or enterprise users) that allows someone, usually IT, to remotely deploy apps onto a large number of devices.
In this case, the attackers used a side-loading technique to implement malicious features into legitimate apps through real-looking software updates. In their research, Cisco Talos identified five applications that were distributed by the rogue MDM.
These compromised applications which included versions of Telegram and WhatsApp allowed the attackers to read private SMS messages, track the device’s location, and otherwise steal sensitive data like contacts or photos.
Based on their research and analysis, Cisco Talos has concluded that the attacker(s) is based in India. Again, the malware has only impacted a small handful of devices in the country. Because of that, it’s likely that this was a highly targeted operation from the start.
Cisco Talos notes that it’s worked closely with Apple to counter the campaign. The Cupertino tech giant has since pulled three developer certificates associated with the malware author and is in the process of actioning two others.
It’s not clear how the attackers were able to get the MDMs onto the iPhones. Enrollment into the MDMs could have been done through physical access to the devices, but Talos reports it’s more likely that social engineering techniques were used to trickthe iPhone owners into enrolling their devices. For example, phishing-like emails could have enticed the impacted users to click accept or give up physical access to their device.
The targeted attack is just another reminder of why users should be extremely wary about clicking on unsolicited links or websites. Cisco Talos recommends that all users verify and vet the authenticity or identity of device access requests.
But it’s also a reminder that MDM systems can be used for malicious activity, which is worrying due to the rise in popularity of those systems in enterprise or corporate settings.
“By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this,” Cisco Talos wrote in a blog post.
“Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc,” the security firm continued, adding that it “should not be something the average home user does.”