In the last weeks, a new Android surveillance malware dubbed Exodus made the headlines, now expert found the iOS version of the government spyware.

Security experts at LookOut have discovered an iOS version of the dreaded surveillance Android app Exodus that was initially found on the official Google Play Store.

Exodus for Android is a three-stage malware, the first is a small dropper that collected basic device information (i.e. IMEI, phone number).

The second stage is composed of multiple binary packages that deploy a well-implemented suite of surveillance functionalities, and the finals stage leverages the DirtyCOW exploit (CVE-2016-5195) to gain root privileges on the device and install the Exodus app.

Lookout first spotted the sophisticated Android surveillance software early last year.

Early versions of Exodus app used infrastructure which belonged to a company named Connexxa S.R.L. and were signed using the name of a developer who seems to hold equity in Connexxa.

The developer is also associated with a company called eSurv S.R.L., and many people claim the guy is working at this company.

“eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014. The business unit and the eSurv software and brand was sold from Connexxa S.R.L. to eSurv S.R.L. on Feb 28, 2016.”

The iOS version of Exodus has not been distributed through the official Apple App store, experts discovered that the surveillance malware was delivered through phishing websites that look like the ones of Italian and Turkmenistani mobile carriers.

“Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port. So far, this software (along with the Android version) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers.” reads the analysis published by Lookout.

Since on Apple devices it is not possible to directly install apps that are not present in the official app store, this new iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own apps directly to their employees without passing through the App Store.

The phishing sites used to deliver the threat contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file.

According to Lookou, all these packages used provisioning profiles with distribution certificates associated with the company Connexxa.

The iOS version of Exodus is less sophisticated than the Android one, but it is still perfect spyware with the ability to exfiltrate a broad range of information from iPhone devices (i.e. contacts, audio recordings, photos, videos, GPS location, and device information).

The spyware exfiltrates data via HTTP PUT, experts pointed out that iOS and Android versions have the same command and control infrastructure and use similar communications protocols.

“Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2. The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols. Push notifications were also used to control audio recording.” continues the analysis.

“Lookout has shared information about this family with Apple, and they have revoked the affected certificates. As a result, no new instances of this app can be installed on iOS devices and existing installations can no longer be run.”

Lookout researchers believe Exodus is a malware developed for governmet and law enforcement agencies, it is the result of a well-funded development effort.

At the time of writing, the experts have no idea of the number of iPhones devices infected by the iOS Exodus variant.

Pierluigi Paganini