New malware campaign using malicious MDM targeting 13 specific iPhone users in India

• Campaign specifically targeted 13 iPhone users in India.
• Malware steals contacts, users, location, phone serial number, Telegram and WhatsApp chat messages and more.

A new malware campaign targeting 13 specific iPhone users in India has been discovered that involves attackers deploying an open-source mobile device management (MDM) system to hijack devices.

The attacker behind this malicious campaign seems to have taken great pains to replace certain mobile apps for data interception.

MDM can allow hackers the ability to hijack operating system (OS) level control of multiple devices from one location. Hackers could also exploit MDM to install and remove apps, install and remove certificates, lock devices, change passwords and more.

“An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India,” security researchers at Cisco Talos, who discovered the new malware campaign, wrote in a blog. “Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.”

Malware’s capabilities

The malware used in the campaign is capable of stealing phone numbers, serial numbers, contacts, location, photos, as well as SMS, Telegram and WhatsApp chat messages. This stolen data could be leveraged by hackers to manipulate or blackmail victims.

Researchers said the hacker used the BOptions sideloading technique to add features to legitimate apps such as Telegram and WhatsApp that werethen deployed by the MDM onto the 13 targeted devices.

According to Cisco Talos researchers, the malware has been active from 2015. In other words, the attacker managed to successfully remain under the radar for three years, likely due to the low infection rate.

The hacker also happened to leave behind identifiable data such as usernames and emails on the server, allowing researchers to discover that the attacker’s phone number originated from India and that his device used the Vodafone India network.

Modus Operandi

In the case of iOS malware, malicious code is generally executed after the malware author modifies the app's code at runtime to execute it.

However, the malware in this campaign is almost entirely independent of the app and functions by creating a timer that eventually executes the malicious code in the background.

“From there, it schedules tasks to be executed asynchronously in the background by leveraging the apps' background task queue. Ultimately, this means that the malicious code is invisible to the user of the app, and can be easily reused alongside any real application,” Cisco Talos researchers added.

Researchers are still unclear about the identity and motive of the attackers. The hackers’ targets are also still unknown. However, they noted that the attackers did attempt to mimic Russian hackers by using mail.ru email.

“Once a user has lost physical access to their phone, it's really a case of the attacker having a much easier playing field for malicious activity,” Cisco Talos researchers said. “The fact that the attacker was also able to get devices onto his own malicious MDM shows that the attacker was indeed motivated to obtain initial access but also to maintain persistence across the devices.”