iOS spyware used by Pawn Storm cyber spies

Trend Micro researchers have unearthed two variants of a spyware specially designed for targeting devices running iOS, and at least one of them can be installed on non-jailbroken devices.

The malware is used by the attackers behind Pawn Storm, a recently discovered but long-standing cyber-espionage operation that has in the past targeted media companies, military attachés, staff at the Ministry of Defense in France and Hungary, a multinational company based in Germany, staff of the US State Department, personnel of US defense contractor ACADEMI (formerly Blackwater), Polish government employees, and many more military and government targets.

“We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems,” they shared in a blog post.

“We found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT.”

While XAgent is aimed at collecting text messages, the contents of the contact list, pictures, geo-location data, a list of installed apps and processes, information about the Wi-Fi status and can perform voice recording, MadCap is focused on audio recording. Another difference is that MadCap can only be installed on jailbroken devices.

It’s also interesting to note that XAgent works flawlessly on iOS7, and easily achieves stealth and persistence, while on iOS8 its presence can be detected by the visible icon, and the malicious app can’t restart automatically once it has been closed. The researchers believe that this shows that the spyware was created before iOS8 was released in September 2014.

“The exact methods of installing these malware is unknown,” they shared. “We have seen one instance wherein a lure involving XAgent simply says ‘Tap Here to Install the Application.’ The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers.”

It’s also possible that the malware gets installed through other means, for example via USB cable connected to a compromised Windows machine.

iOS spyware is still a rarely encountered bird. We know that Gamma Group International’s FinFisher commercial spyware toolkit has a mobile component capable of spying on owners of iOS devices. Also, that someone – likely the Chinese government – has been using a mobile RAT to target Hong Kong protesters last year.