A highly targeted malware campaign targeting iPhone users in India has been unearthed by Cisco Talos security researchers. The campaign has been active since August 2015 and is spying on 13 specific iPhones. The attackers who were most likely operating from India (although posing as Russians) were leveraging the MDM protocol of the devices.
How Were the Attackers Exploiting the MDM Protocol?
The latter is a piece of security software that is used by large companies to monitor employee devices. The MDM protocol has been used to deploy malicious operations by remote users (the attackers).
As explained by Apple, MDM is designed to the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
Companies can deliver the MDM configuration file via email or through a webpage for the so-called over-the-air enrollment service with the help of Apple Configurator. Once installed, the service allows company admins to remotely control the device and install or remove apps, install or revoke certificates, lock the device, change password requirements, among other activities.
It is still unknown how attackers succeeded in attacking the 13 targeted iPhones. As explained, the MDM enrollment process is based on user interaction, and researchers suspect that social engineering techniques may have been employed to trick the targeted users.
It’s very possible that the attackers used the MDM service to remotely install modified versions of legitimate apps onto the targeted iPhones. The apps were designed to spy on users and harvest their real-time location, contacts, photos, and SMS and private messages from messaging apps. More specifically, to leverage apps such as Telegram and WhatsApp attackers used the so-called “BOptions sideloading technique,” which enabled them to inject a dynamic library into the legitimate apps.
“The injection library can ask for additional permissions, execute code and steal information from the original application, among other things,” Cisco Talos researchers explained in their report. All harvested information from Telegram and WhatsApp was sent to a remote server.
It should be noted that at the time of wrapping up the report, Apple had already revoked 3 certificates linked to this campaign, with cancelling the rest of the certificates after Cisco Talos notified them of the attack.