Uma campanha de malware altamente direcionado visando os usuários do iPhone na Índia foi descoberta por pesquisadores de segurança Cisco Talos. A campanha tem sido ativo desde agosto 2015 e está espionando 13 iPhones específicos. The attackers who were most likely operating from India (although posing as Russians) were leveraging the MDM protocol of the devices.
How Were the Attackers Exploiting the MDM Protocol?
The latter is a piece of security software that is used by large companies to monitor employee devices. The MDM protocol has been used to deploy malicious operations by remote users (os atacantes).
Conforme explicado pela Apple, MDM is designed to the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
Companies can deliver the MDM configuration file via email or through a webpage for the so-called over-the-air enrollment service with the help of Apple Configurator. Uma vez instalado, the service allows company admins to remotely control the device and install or remove apps, install or revoke certificates, lock the device, change password requirements, among other activities.
It is still unknown how attackers succeeded in attacking the 13 targeted iPhones. Como explicado, the MDM enrollment process is based on user interaction, and researchers suspect that social engineering techniques may have been employed to trick the targeted users.
It’s very possible that the attackers used the MDM service to remotely install modified versions of legitimate apps onto the targeted iPhones. The apps were designed to spy on users and harvest their real-time location, Contatos, fotos, and SMS and private messages from messaging apps. Mais especificamente, to leverage apps such as Telegram and WhatsApp attackers used the so-called “BOptions sideloading technique,” which enabled them to inject a dynamic library into the legitimate apps.
“The injection library can ask for additional permissions, execute code and steal information from the original application, entre outras coisas,” Cisco Talos researchers explained in their report. All harvested information from Telegram and WhatsApp was sent to a remote server.
It should be noted that at the time of wrapping up the report, Apple had already revoked 3 certificates linked to this campaign, with cancelling the rest of the certificates after Cisco Talos notified them of the attack.