Cisco Talos has discovered a highly targeted campaign against 13 iPhones in India which were reportedly used by VVIPs. The attacker, in this case, used an open-source mobile device management (MDM) system to control the devices.
The report states that it is unclear how the hacker managed to enroll these 13 iPhones into the MDM. It speculates that it was done by either the hacker getting physical access to these devices or through social engineering in which the victim was lured into providing access.
After enrolling these 13 devices into the MDM, the hacker deployed 5 applications on them. Two of them were aimed at testing the features of the device, while one stole the SMS data. The other two apps reported the location of the device and data stored on the device.
This hack is of particular note since the malware “goes to great lengths to replace specific mobile apps for data interception.” Talos says that it has worked closely with Apple on neutralizing this threat, with the Cupertino company already actioning three different certificates associated with this hack. Once Talos informed them about the malware, Apple was quick to move the other two certifications related to the threat as well.
The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.
The logs discovered on the MDM server point to the malware being in use since 2015. It was only targeted on 13 devices which were possibly used by VVIPs. The logs suggest that the hacker/creator of the malware is from India and he tried out the hack on a test iPhone first before deploying it.
The malware is definitely an interesting one, and this is the first such report to originate from India which shows how motivated the hacker was. If interested, make sure to head over to the source link below to read about the malware in detail.