According to Lookout researchers, the iOS counterpart is less sophisticated than the Android version, and hasn’t been detected in the Apple App Store. Nonetheless, this case highlights the cracking state of Apple’s privacy.
Meet Exodus Spyware: from Android to iOS
Lookout security researchers came across “a sophisticated Android surveillanceware agent”. The spyware tool was most likely created for the lawful intercept market, and it’s been in a development state for at least five years, with three stages of execution.
The first stage is a small dropper, then comes the second large payload containing multiple binaries which have most of the surveillance capabilities. The final third stage uses the so-called DirtyCOW exploit, CVE-2016-5195, to obtain root.
It should be noted that security researchers from Security Without Borders detected 25 different Exodus-infected apps that had been uploaded on the Play Store in the past two years.
DirtyCow a.k.a. CVE-2016-5195
Did you know that the flaw has been located in the kernel as well as Linux distributions for almost ten years. The security flaw could allow attackers to obtain root privileges via a race condition bug and then gain write-access to read-only memory.
The vulnerability was patched in both the kernel and Linux in October, 2016. However, Android devices had to wait for a fix, and unfortunately there have been exploit kits leveraging the issue in the wild.
Exodus iOS Variant: Some Details
Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port, Lookout said in their report. The Exodus spyware has been spread with the help of phishing websites that imitated Italian and Turkmenistani mobile carriers.
How did attackers Exodus deliver to iOS users outside Apple’s app store?
They took advantage of the company’s enterprise provisioning system:
The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary, in-house apps to their employees without needing to use the iOS App Store. A business can obtain access to this program only provided they meet requirements set out by Apple. It is not common to use this program to distribute malware, although there have been past cases where malware authors have done so.
The phishing sites that were deployed in these campaigns on iOS users contained links to a “distribution manifest” which accommodated metadata consisting of the application name, version, icon, and URL for the IPA file.
To be distributed outside the app store, an IPA package must contain a mobile provisioning profile with an enterprise’s certificate. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.
As for its capabilities, the iOS version of Exodus was limited to several capabilities such as collecting contacts, photos, videos, audio recordings, GPS information, and device location. The spyware could also carry out on-demand audio recording, but was not as sophisticated as its Android counterpart which could obtain root control of infected devices.
Nonetheless, there are a lot of similarities between the iOS and Android Exodus versions. It’s interesting to note that the iOS variant uploaded harvested data to the same exfiltration server and utilized a similar protocol.
The security company got in touch with Apple and shared their discoveries, and Apple revoked the affected certificates. As a result, no new instances of this app can be installed on iOS devices and existing installations can no longer be run, the researchers concluded.