![](\"https:\/\/media.wired.com\/photos\/5cab8c76a9dec018a0837f69\/master\/pass\/apple-852081604.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Mon, 08 Apr 2019 19:49:52 +0000<\/strong><\/p>\n Private companies around <\/span>the world have evolved a gray industry<\/a> supplying digital surveillance and hacking tools to governments and local law enforcement. As the once little-known practice has grown, so too has the resulting malware<\/a>. Researchers have now found that one of these spyware products, which had previously been found on the Google Play Store, also targeted iOS.<\/p>\n At the Kaspersky Security Analyst Summit in Singapore this week, researchers from the mobile security firm Lookout will present findings<\/a> on the iOS version of the spyware known as Exodus. The nonprofit Security Without Borders published details of the Android version in conjunction with Motherboard<\/a> at the end of March. The fact that Exodus has an iOS version, though, shows the impressive reach of the malware and the resources behind it.<\/p>\n And the stakes are high. The iOS version of Exodus, built to look like a mobile carrier support app, used all of the mechanisms iOS offers legitimate apps to grab as much of a target\u2019s data as possible.<\/p>\n It is unclear whether Exodus targeted specific individuals or a broader group, but over the past year, the researchers observed attackers setting up phishing traps to direct users toward the malicious apps. The sites were designed to look like information pages for mobile carriers based in Italy and Turkmenistan\u2014Wind Tre SpA and TMCell, respectively. From there, the pages led victims to the Google Play Store or an Apple workflow for downloading enterprise apps.<\/p>\n Attackers were able to slip the Android app directly into Google Play, but they either couldn't get it into Apple's App Store or didn't try. Instead they used Apple\u2019s Developer Enterprise Program\u2014a platform that institutions can use to distribute their own apps in-house\u2014to spread their spyware in a legitimate-looking way. Apple keeps its app ecosystem fairly locked down; the only way to install software on non-jailbroken iOS devices is to either sneak the app past Apple\u2019s App Store review process or get a certificate for enterprise distribution. It's relatively easy<\/a> to buy<\/a> one of these certificates from Apple and costs only $300. This approach has become increasingly common as a way for attackers to spread iOS malware, and it has also come up in controversies<\/a> over how companies like Facebook and Google distribute consumer-testing and feedback apps.<\/p>\n Once installed, Exodus could access photos, videos, device IDs, audio recordings, and contacts on target devices, while also potentially tracking a victim's location and listening to their conversations through the iPhone or iPad's microphone. Both the Android and iOS versions of Exodus have now been blocked. Apple declined to comment.<\/p>\n \u201cIn terms of capabilities on the iOS side, they\u2019re doing pretty much everything I\u2019m aware of that you can do through documented Apple APIs, but they\u2019re abusing them to do surveillance-type activities,\u201d says Adam Bauer, a senior staff security intelligence engineer at Lookout. \u201cFinding surveillance-ware on Android or even iOS is not necessarily uncommon. But finding an actor like this is actually relatively rare. The main differentiator with this actor is the level of professionalism that we\u2019ve seen from them.\u201d<\/p>\n The Lookout researchers say that developers seem to have been working on and releasing Android versions of Exodus for the past five years. On Android, the spyware works in three phases to gain deep access to victims' devices, first establishing a foothold, then installing a larger payload that sets up the surveillance capabilities, and then exploiting a vulnerability to gain root device access. The Android malware led the researchers to the phishing sites used to direct victims to the apps, which in turn led to the iOS app.<\/p>\n The iOS version, which seems to have emerged more recently, does not rely on exploits to establish pervasive device access, instead counting on users to unintentionally give permission for the app to run its surveillance tools. Lookout\u2019s Bauer points out that users could have potentially neutered the iOS app\u2019s surveillance by turning off some of its access, but anyone who had already been tricked into thinking the app was legitimate might not question it.<\/p>\n The researchers say that Exodus\u2019 development and distribution mechanisms show a high level of professionalism and care. For example, the command and control infrastructure was closely monitored and guarded\u2014a precaution many malware makers forget. In analyzing this framework, the researchers say they found indications that Exodus may have been developed by the Italian video surveillance software company eSurv<\/a> and a company it acquired in 2016 known as Connexxa. eSurv\u2019s website is no longer live, and the company could not be reached for comment.<\/p>\n \u201cThere\u2019s always a lot of talk about malware on Android in particular, but this was actually a case where both of the mobile platforms are affected,\u201d says Christoph Hebeisen, senior manager of security intelligence at Lookout. \u201cAnd in both cases, because of the enterprise deployment of iOS and because of the Play Store on Android, it was a reasonably legitimate-looking distribution mechanism. So protecting your mobile devices against these things is really crucial.\u201d<\/p>\n Mobile users can take precautions to try to avoid spyware by staying vigilant about avoiding phishing links and sticking to mainstream apps downloaded directly from Google Play or Apple\u2019s App Store. But Exodus\u2019s presence on both platforms shows just how difficult it is in practice to skirt insidious, well-crafted spyware. And unfortunately, there's more and more of it out there all the time.<\/p>\n