Apple iPhones are touted to be one of the most secure devices on the planet, but they are not entirely immune to malicious attacks. The latest malware attack exposed by Cisco Talos is targeted mainly towards iPhones, to be more specific 13 iPhones in India. That's not it, this mysterious malware has managed to operate without being noticed for 3 years.
Even though the extent of the newly-exposed malware is not widespread, it is still classified as dangerous based on the nature of its operation. According to the researchers, the malware registered 13 iPhones on its mobile device management (MDM) servers and used legitimate apps to track the location of the phones and read messages.
While it remains unknown how exactly the hacker enrolled the targeted iPhones into the MDM, researchers assume it is either by gaining physical access or using social engineering technique to trick users. All of the affected iPhones are registered to users in India, regardless of the iOS versions they're running.
"This gives the attacker a significant level of control over the victim device(s). This process is used similarly to a large-scale enterprise using MDM solutions. It is likely that the user is advised that the certificate must be installed to allow enrollment. This is most likely performed via a social engineering mechanism, i.e. a fake tech support-style call," Cisco Talos researchers explained in a detailed blog post.
How dangerous is the malware?
Once infected, the malware allows hackers to steal a wide range of information, including the victim's phone number, the serial number of the phone, location, contact details, photos, SMS and chat messages in WhatsApp and Telegram apps. Anyone with access to such personal and sensitive information can leverage a great deal from the victims by blackmailing or seeking ransom.
Researchers noted that two versions of MDM services were used to carry out the attack. In one method, attackers stole data via malicious versions of legit apps, in this case, WhatsApp and Telegram. While the apps look real to unsuspecting users, they send sensitive information to the control server.
Another method grants attackers the ability to install, remove and exfiltrate data from apps. For this, the attackers used BOptions side-loading technique, researchers noted.
Who are the attackers?
While the attack, which has been active since August 2015, is limited to 13 Indian users of iPhones, the attackers tried to mask their identity as Russian. But the researchers were able to extract the origin of the attackers from the log files left behind on MDM services and the malware's C&C server.
The identity of the attackers is at large, but the researchers concluded that they are indeed based out of India. But a lot of unanswered questions are lurking around this mysterious nature of the attack such as why target only 13 iPhones in India.
Despite maintaining a low-key, this malware warrants undisputed attention. There may be a fix rolled out by Apple soon, but users must always remain vigilant of the permissions they grant apps or think twice before clicking anything even if prompted to do so by legitimate apps.