The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.
Exploiting Apple MDM Service to Remotely Control Devices
Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.
Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.
“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” Apple explains about MDM.
Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.
However, researchers at Cisco’s Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.
Spying Through Compromised Telegram and WhatsApp Apps
According to the researchers, the attackers behind the campaign used the MDM service to remotely install modified versions of legitimate apps onto target iPhones, which were designed to secretly spy on users, and steal their real-time location, contacts, photos, SMS and private messages from chat applications.
To add malicious features into secure messaging apps, such as Telegram and WhatsApp, the attacker used the “BOptions sideloading technique,” which allowed them to inject a dynamic library into the legitimate apps.
“The injection library can ask for additional permissions, execute code and steal information from the original application, among other things,” researchers explain.
The malware injected into the compromised versions of the Telegram, and WhatsApp applications were designed to send contacts, location, and images from the compromised device to a remote server located at hxxp[:]//techwach[.]com
“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” researchers said.
“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”
At this time, it is not known who is behind the campaign, who was targeted in the campaign, and what were the motives behind the attack, but researchers find evidence suggesting the attackers were operating from India, while the attackers planted a “false flag” by posing as Russian.
“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices. We found testing devices enrolled on the MDM with an Indian phone number and registered on an Indian provider,” Talos researchers said.
“All the technical details point to an actor based in the same country as the victims: India.”
At the time of reporting, Apple had already revoked 3 certificates linked to this campaign, and after getting informed by the Talos team, the company also canceled the rest two certificates as well.