While Apple devices are normally thought of as difficult to hack, researchers have discovered a mysterious malware campaign that specifically targeted Indian iPhone users. However, it only affected 13 iPhones.
Mysterious Malware Campaign Targeted 13 iPhones in India
As revealed in a recent blog post, the researchers from Cisco Talos identified a highly targeted malware campaign against Indian iPhone users. This campaign exploited an open-source Mobile Device Management (MDM) system to take control of the 13 selected iPhones. However, it is yet unknown how the attacker managed to ‘register’ the selected iPhones.
“At this time, we don’t know how the attacker enrolled the 13 targeted devices into the MDM. It could be through physical access to the phones, or by using social engineering, motivating the user to enroll their device.”
Explaining about their work, the researchers wrote in their blog post,
“In this campaign, we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.”
The researchers consider this mysterious malware campaign unique since it entirely replaced a few apps in the target devices. For this purpose, the attacker used BOptions sideloading technique to integrate desired features in some common legit apps including WhatsApp, Telegram, and PrayTime. He then deployed these customized apps to the 13 targeted iPhones via MDM.
Regarding why the hacker adapted this approach, the researcher wrote,
“The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.”
The Attacker Masks His Indian Location As “Russia”
Delving deep into details, the researchers succeeded to extract the whereabouts of the attacker. Although, he tried level best to mask his location as Russia by using a Russian email address. Yet, the researchers believe it to be a ‘false flag’ to mislead security researchers. To confirm this speculation, they analyzed the log files placed on the MDM servers and the malware’s C&C server. They found the malware to be in use since 2015 and identified the attacker’s location as India.
Although the researchers have comprehensively explained the technicalities associated with this malware campaign. Yet, they remained unsuccessful in finding an exact answer as to why the attacker only targeted 13 iPhones. A possible answer to this behavior may be that the attacker wanted to remain under the radar. Probably, because of the same reason, the malware remained unidentified for the past 3 years.
Talos has closely collaborated with Apple to counteract this threat and we may expect some permanent fixes from Apple to protect their users from such malware attacks as we usually see them working proactively to maintain user’s privacy and security.
Let us know your thoughts in the comments section.