Cybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store.
Dubbed Exodus, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year.
Unlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers.
Since Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store.
“Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file,” the researchers say in a blog post.
“All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.”
Though the iOS variant is less sophisticated than its Android counterpart, the spyware can still be able to exfiltrate information from targeted iPhone devices including, contacts, audio recordings, photos, videos, GPS location, and device information.
The stolen data is then transmitted via HTTP PUT requests to an endpoint on the attackers controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols.
Several technical details indicated that Exodus was “likely the product of a well-funded development effort” and aimed to target the government or law-enforcement sectors.
“These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,” the researchers say.
Developed by Italy-based company called Connexxa S.R.L., Exodus came to light late last month when white hat hackers from Security Without Borders discovered nearly 25 different apps disguised as service applications on Google Play Store, which the tech giant removed after being notified.
Under development for at least five years, Exodus for Android usually consists of three distinct stages. First, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device.
The second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities.
Finally, the third stage uses the infamous DirtyCOW exploit (CVE-2016-5195) to gain root control over the infected phones. Once successfully installed, Exodus can carry out an extensive amount of surveillance.
The Android variant is also designed to keep running on the infected device even when the screen is switched off.
While the Android version of Exodus had potentially infected “several hundreds if not a thousand or more” devices, it’s not clear how many iPhones were infected by the iOS Exodus variant.
After being notified of the spyware by the Lookout researchers, Apple revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices.
This is the second instance in the past year when an Italian software company has been caught distributing spyware. Earlier last year, another undisclosed Italian firm was found distributing “Skygofree,” a dangerous Android spying tool that gives hackers full control of infected devices remotely.