The Exodus spyware now also exists in the iOS ecosystem. The package can take and deliver audio recordings, pictures, contacts, and location data. The spyware researchers note that the iOS version of the spyware delivers itself via phishing sites that imitate mobile carriers from Italy and Turkmenistan. According to research by both Lookout and Security without Boarders, the spyware appears to have developed over the span of 5 years.
The spyware works in three stages: first it lands on the victim’s machine with a lightweight dropper, then it fetches a larger second stage payload which contains several binaries, finally, the third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on the infected device. Technical details suggest that it may have started life as a legitimate package for government or law-enforcement use. Details indicate that the software was very likely a well-funded project intended for the lawful intercept market. The software makes use of valid certificate-pinning and public key encryption for command-and-control communications, and geo-restrictions, along with a comprehensive well-implemented suite of surveillance features.
The Android samples led researchers to samples of an iOS variant. The attackers spoofed both Wind Tre SpA, and TMCell sites. An Italian mobile and a Turkmenistan state owned carrier respectively. In order to spread the iOS version outside of the App Store, the cybercriminals abused Apple’s enterprise provisioning system. Allowing them to sign the apps with legitimate Apple certificates. The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary/in-house apps to their employees without the use of the iOS App Store. The apps themselves dovetail with the phishing sites, recommending that user keep the apps installed and under WiFi coverage to be contacted by operators for assistance. While the iOS version of the app seems to be more crude than the android counterpart. It might not have the ability to leverage known vulnerabilities, but it was still able to utilize well known API’s to exfiltrate contacts, photos, videos and audio recordings using a required push notification setting.
Exodus is thought to be linked to eSurv, an Italian software developer based in Catanzaro in Calabria who is well known for software specializing in CCTV management, surveillance drone, and facial and license-plate recognition software. eSurv is currently under investigation by Italian authorities per local news reports. Each of the phishing sites contain links to metadata such as the application name, version, icon, and an URL for the IPA file. An IPA package must contain a mobile provisioning profile with an enterprise’s certificate to be distributed outside the app store. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.