By Brooke Crothers
Published April 13, 2019
Early last year, mobile security firm Lookout discovered Android and iOS malware that can steal “contacts, audio recordings, photos, location, and more from devices," according to a blog post from the company.
The malware was originally found on the Italian-language Google Play Store for Android and disguised as “service applications” from mobile operators, according to Security Without Borders which also documented the malware.
Versions of the Android malware, dubbed Exodus, were unwittingly installed dozens of times, “with one case reaching over 350,” Security Without Borders said.
A Google spokesperson told Fox News that it "removed the apps from Google Play earlier this year" and warned the users who had installed the malware. "We invest heavily in keeping users safe from bad apps, malicious developers, and new abuse trends," the spokesperson added.
Lookout's research on the Android version of the malware led to the discovery of it on iOS.
Unlike the Android version, the malware isn’t distributed through the App Store but via the Apple Developer Enterprise program, which allows organizations to distribute proprietary, in-house apps to their employees and bypass the App Store, Lookout said.
However, some malicious groups have exploited this, Domingo Guerra, Senior Director, Modern OS Security, Symantec, told Fox News. These groups “misused the enterprise app certificate ‘loop-hole’ to circumvent the App Store review process and get their apps ‘sideloaded’ onto target devices,” he said.
This is a new twist and potentially a sign of things to come. “The fact that it uses this ‘backdoor’ of the Apple Enterprise Developer Program is fairly novel and likely a new avenue other actors might try to take when targeting iOS users,” Adam Kujawa, Director of Malwarebytes Labs, told Fox News.
Since the App Store is secure, malware purveyors were forced to take an alternative route, Kujawa said. “Apple has a more locked down app store, trying to slip it into the legitimate application repository is pretty much impossible.”
Instead, attackers are setting up phishing sites, pretending to be mobile carriers, Kujawa added. “From these pages, there are links to install what the user believes to be useful applications from their mobile carrier…[but] these links will navigate the user to download the app on their iOS device.”
“They are able to do this by having a legitimate enterprise certificate assigned to this app, notably from the company Connexxa S.R.L.,” Kujawa continued.
The iOS version is more limited than the Android variant but still can scrape personal data and listen in to an iPhone’s microphone, Kujawa said. But once Apple was made aware of this, they blacklisted the certificate used by the app.