Exodus journeys onto Apple phones

On:Friday, 12 April, 2019

According to researchers at cybersecurity firm LookOut, the powerful mobile surveillance app known as Exodus has journeyed onto iOS phones. Exodus made headlines earlier this year when it was found infecting Android phones through apps on Google Play.

The malware has been in development for five years and is based on so-called ‘lawful intercept’ software. Normally it is sold and used by governments and law enforcement agencies. The researchers found that Exodus had bypassed Apple Store and had been distributed through phishing websites that imitated Italian and Turkmenistan mobile carriers.

Though the iOS variation is not as sophisticated as the Android malware it can steal data from targeted iPhones including, contacts, audio recordings, photos, videos, GPS location and device information. Any stolen data was then transmitted to the hackers’ command and control server.

LookOut identified an Italian app developer, Connexxa as the author of the malware. Connexxa provides surveillance tools and software to Italian security agencies. Exodus came to light after white hat hackers from Security Without Borders discovered 25 different apps disguised as service apps on Google Play Store.

LookOut said that several technical details pointed towards Exodus being ‘likely the product of a well-funded development effort’ and was aimed, primarily at governments and law-enforcement sectors.

On Android researchers found that the app consisted of three distinct stages. First, a small dropper that collates basic identifying data like the IMEI and phone number.

At the second stage the malware deployed a suite of surveillance functions. In the final stage the malware uses the infamous Dirty Cow exploit to gain root control over the infected phone.

Dirty Cow, or Dirty copy-on-write, was a computer security vulnerability that affected all Linux-based operating systems including Android that had used earlier versions of the Linus kernel. It first appeared in 2007 and was finally patched in 2017.

As soon as Apple was informed of the malware, they revoked Connexxa’s enterprise certificate, preventing malicious apps from being installed on new iPhones.

This is not the first time in the past year when an Italian software company has been caught distributing spyware. In early 2018 an unnamed Italian firm was found to be distributing a malware called ‘Sygofree,’ a powerful and dangerous spying tool that gave hackers full control of infected devices.