Exodus spyware app targeting iOS users outside the App Store

iOS malware Exodus distributed via certified apps outside the App Store

Italian hackers found a way to distribute Exodus malware on iPhones outside the App Store

A particular discovery has clearly surprised cybersecurity experts from Lookout.^[1] Their latest findings revealed a spyware app, dubbed Exodus, which is targeting Apple iOS users outside of the original version of the App Store. Technology experts ran into such malware while investigating the powerful Android version of this virus.

An interesting fact which occurred during the discovery is that the surveillance application has been marked by legitimate Apple developer certificates as safe, even though the company itself does not provide an opportunity to install applications outside the App Store. However, what helped the criminals to achieve a certificate was misusing the Apple Developer Enterprise Program.

The spyware app has mostly been spread via questionable web pages. Its developers have been seeking to create an imitation of mobile carriers from Italia and Turkmenistan.^[2] However, the true company hiding behind the name of Exodus is known as Connexxa S.R.L and is located in Italia.^[3]

Android version of Exodus is using Dirty COW for taking control of infected mobile devices

Talking about the Exodus malware itself, it is clear that its main aim is to implement cyber attacks. According to research, hackers launched this spyware to infect government and law institutions mostly. However, it first reached the eye of cybersecurity experts from Security Without Borders when the hackers decided to use Exodus to target Android OS users and managed to add 25 malware-laden spyware apps to the Google Play Store.^[4]

Supposedly, the Android Exodus version was under the development mode for three years. Malware is set to carry out three different attack stages:

• Collecting the original identification data;
• Installing malicious packages used for spying;
• Using CVE-2016-5195 vulnerability to take control of the entire device.

To begin with, virus is set to gain more knowledge about the infected device by collecting the original identification data, such as IMEI, and mobile phone number. After that, Exodus installs some malicious packages that carry out a big variety of spyware functions and plants them on the targeted device to begin the main spying activity. However, the worst part is that the Android version of malware in its third stage uses the Dirty COW (CVE-2016-5195) vulnerability^[5] to take control of the entire infected device.^[1]

Once such actions are finished, Exodus malware starts moving towards its main goal – performing the biggest amount of surveillance that it is capable of. What worsens the situation is that the Android variant can continue its malicious actions even when the infected device is shut down.

HTTP PUT requests used to transmit information to cybercriminals

The iOS version of Exodus malware is not as complicated as the Android version. However, this shouldn't make you think that this variant is less dangerous. It seems that it also aims to expose sensitive data from iPhones, including:

• contact lists
• audio files
• videos
• photos
• device-related information
• etc.

After the data is collected, it is further carried via HTTP PUT requests to a C&C server which is under the control of the cybercriminals. Additionally, the same CnC structure is used in iOS and Android malware for transmitting information over the network. Apple has already banned the possibility of installing malware-laden apps on iPhones, however, currently, there is no particular information about the number of devices that have already been affected by Exodus malware.