A malware campaign has been found targeting iOS devices linked to a wide range of entities, including European defense organizations, governments, and media sectors with dangerous espionage spyware capable of breaching non-jailbroken devices, a recent report claims.
The spyware campaign, dubbed “Operation Pawn Storm” by security experts, was first detected on Windows computers late last year, but has now made its way to iOS devices, a report by security researchers at TrendLabs noted. The researchers linked the campaign to the Russian government.
XAGENT SPYWARE APP
One of the two spywares used in the campaign is actually an application, the firm dubbed the app XAgent, that attempts to install and run on iOS devices.
“The XAgent app is fully functional malware,” the researchers noted. “The exact methods of installing these malware is unknown; however, we do know that the iOS device doesn’t have to be jailbroken … We have seen one instance wherein a lure involving XAgent simply says ‘Tap Here to Install the Application‘.”
The fake website then distributes the spyware via Apple’s ad-hoc provisioning feature intended for enterprises and developers who wish to distribute their apps to a small group of individuals and allows users to bypass the App Store.
XAGENT COLLECTS ALMOST EVERYTHING
Once installed, XAgent will collect text messages, contact lists, pictures, geolocation data, information from a list of installed apps on an iOS device, and the WiFi status of the device. The information is then sent back to a server operated by the hackers. XAgent is also capable of switching on the phone’s microphone and recording everything it hears.
The XAgent malware application runs on both iOS 7 and iOS 8 devices, whether they’ve been jailbroken or not. The malicious app is most dangerous on iOS 7 since it hides its icon to evade detection, but it is unable to hide itself or automatically restart itself on iOS 8 devices.
MADCAP GAME APP
Another malware agent of Operation Pawn Storm is a malware that disguised as a game called “MadCap“. It focused on recording audio and only works on jailbroken devices. MadCap functionality is similar to XAgent, but differs in that it can only be installed on jailbroken devices.
Security researchers said that the malware applications appeared to be carefully maintained and consistently updated by the hackers. The attackers’ have not been identified yet, although the command and control server used in the attacks was in operation at the time of research.