Researchers recently discovered a well-funded mobile phone surveillance service capable of stealing a wide range of confidential data from phones running both iOS and Android operating systems. Researchers believe the malware is so-called “constitutional compromise” software sold to law enforcement and governments.
Exodus, as the malware for Android phones is dubbed, has been under development for at least five years. It has spread in apps disguised as service applications from Italian mobile operators. Exodus is hidden in the apps available on secret websites and 25 apps available in Google Play. In a The report was published two weeks agoresearchers at Security Without Borders say Exodus-infected phones are estimated to be in the “several hundreds if not a thousand or more.”
Exodus has three distinct phases. The first was a small dropper that collects basic identifying information about the device, such as IMEI and phone number, and send it to the authorized and administrative server. The second stage was installed almost immediately after the researchers’ test phone was infected with the first stage and also reported to a control server. That leads researchers to believe that all phones infected with the first stage are indistinguishable from the later stages.
The second level consists of several binary packages that implement many advanced surveillance capabilities. Some variations of encrypted communications include self-signed certificates attached to the applications. Binaries can also take advantage of capabilities available on specific devices. For example, one binary uses “safety devices,” a feature in Huawei phones, to keep the Exodus running even when the screen is dark, instead of pausing to reduce battery power.
The third phase will try to let Exodus gain root control on the infected phone, even though using an exploit called DirtyCOW. Once fully installed, Exodus is able to perform a wide range of surveillance, including:
- Retrieve a list of installed applications
- Record areas using the built-in microphone in 3gp format
- Restore browsing history and bookmarks from Chrome and SBrowser (browser shipped with Samsung phones)
- Extract events from the Calendar application
- Record phone calls in 3gp format
- Take pictures with the built-in camera
- Get information on local cellular towers (BTS)
- Exit the contact list from the Facebook app
- Remove accounts from Facebook Messenger conversations
- Take a screenshot of any app in front
- Extract information on images from the Gallery
- Extract information from the Gmail app
- Dump data from the IMO messenger application
- Extract calls, contacts and messages from the Skype app
- Recover all SMS messages
- Extract the messages and encryption key from the Telegram app
- Backup data from the Viber messenger app
- Extract accounts from WhatsApp
- Get media exchanged via WhatsApp
- Enter the Wi-Fi network’s password
- Extract data from WeChat app
- Output the current GPS coordinates of the phone
The missing iOS link is found
In a blog post expected to be published on Monday, researchers from the mobile security provider said their analysis of Exodus led to the discovery of servers that, in addition to Exodus, hosted the iOS version of the malware. iPhone monitoring malware is distributed on anonymous sites posing as mobile carriers of Italy and Turkmenistan. Screenshots of the two sites are below:
The iOS version is installed using the Apple Developer Enterprise program, which allows organizations to distribute in-house apps to employees or members without using the iOS App Store. The apps are presented as mobile carrier assistance apps that instruct users to “install the app on your device and stay under Wi-Fi coverage to be contacted by one of our operators.”
An Apple-issued digital certificate used to distribute malicious iOS apps is associated with an Italian-based company called Connexxa SRL Infected iPhones are also linked to domains and IP addresses that are of Connexxa. Connexxa is the same Italian company whose domains and IP addresses are used by Exodus. A Connexxa engineer who appears to have equity in the company also digitally signed off on some parts of Exodus.
Connexxa’s appearance in the digital certificate issued by Apple, its role in the server infrastructure used by both Exodus and iOS applications, and the servers that host both Exodus and iOS applications give researchers high confidence that the Both malware packages are a function of the same code. Investigators say a company called eSurv SRL was also involved. eSurv was once a subsidiary of Connexxa and was leased to eSurv SRL in 2014. In 2016, the eSurv software and brand were sold from Connexxa to eSurv SRL
It is not clear how many iPhones are infected by iOS apps. The iOS version is not as sophisticated as the Exodus. Unlike Exodus, the iOS version is not considered to use operations. Instead, it relies on documented programming interfaces. However it is able to generate a lot of sensitive data including:
- Sound recordings
- The videos
- GPS location
- Device information
Because the iOS variant relies on Apple-provided APIs, the malware provides alert users with telltale signs that would have alerted cautious users that their sensitive data has been tracked. For example, the first time malware tries to access location data, the infected phone will display the following dialog, asking for permission:
Lookout researchers reported their findings to Apple, and the company revoked the company’s certification. The cancellation has the effect of preventing applications from being installed on new iPhones and stopping them from running on infected devices. The researchers who discovered Exodus reported their findings to Google, and the company removed nearly 25 apps from Google Play.