Security researchers have discovered a highly targeted campaign against 13 iPhones located in India.
Researchers from Cisco Talos who discovered the attack said that the campaign has been in operation since August 2015 targeting selected 13 iPhones in India.
Attackers used on open source mobile device management (MDM) protocol, a system designed to install custom applications on the enrolled device which are not available on Apple store to carry out the attack.
“An MDM is designed to deploy applications on enrolled devices. In this campaign, we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two reports the location of the device and can exfiltrate various data.” said in the report published by Cisco Talos researchers.
According to researchers enrollment can be done only through physical access to the device or by using social engineering to trick the user to give physical access to the attacker.
Once installed the attackers remove the legitimate apps and install the modified versions into the device. The attackers used BOptions sideloading technique to add features into the modified apps.
The malware is capable of collecting and exfiltrating data from the infected device such as contacts, location, phone number, serial number, contacts, photo’s, SMS and private messages from chat applications.
The four application distributed by the attackers are Whatsapp, Telegram, PrayTime, and MyApp.
The modified version of Telegram and WhatsApp application are capable of collecting and send data to the command and control server of attacker located at hxxp[:]//techwach[.]com.
The PrayTime app is capable of only collecting messages, and the MyApp appear to be nonmalicious and used for just testing.
Researchers said that they have been working with Apple and already have revoked 3 certificates linked with this attack.
“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices. All the technical details point to an actor based in the same country as the victims: India. The attacker tried to mimic Russian hackers by using mail.ru email. However, we found testing devices enrolled on the MDM with an Indian phone number and registered on an Indian provider.”
Researchers did not reveal anything about 13 victims and for more details, you can visit report published by Cisco Talos Researchers here.