Security researchers have uncovered a "highly targeted" mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India. The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.
To enroll an iOS device into the MDM requires a user to manually install enterprise development certificate, which enterprises obtained through the Apple Developer Enterprise Program. Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.
Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.
Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service. However, researchers at Cisco's Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.
According to the researchers, the attackers behind the campaign used the MDM service to remotely install modified versions of legitimate apps onto target iPhones, which were designed to secretly spy on users, and steal their real-time location, contacts, photos, SMS and private messages from chat applications. To add malicious features into secure messaging apps, such as Telegram and WhatsApp, the attacker used the "BOptions sideloading technique," which allowed them to inject a dynamic library into the legitimate apps.
The malware injected into the compromised versions of the Telegram, and WhatsApp applications were designed to send contacts, location, and images from the compromised device to a remote server located at hxxp[:]//techwach[.]com
At this time, it is not known who is behind the campaign, who was targeted in the campaign, and what were the motives behind the attack, but researchers find evidence suggesting the attackers were operating from India, while the attackers planted a "false flag" by posing as Russian.
At the time of reporting, Apple had already revoked 3 certificates linked to this campaign, and after getting informed by the Talos team, the company also canceled the rest two certificates as well.