Security News

Millions of iOS Devices at Risk from ‘Operation Pawn Storm’ Spyware

February 06, 2015

iOS devices are the new poisoned pawns in the targeted attack campaign dubbed “Operation Pawn Storm,” an organized economic and political espionage effort meant to target United States military, embassy, and defense contractor personnel. Trend Micro researchers have discovered two spyware apps that are designed to work on iOS 7, which a quarter of iOS devices still use. Given that Apple sold 130 million iOS devices in the last year alone, millions of devices are potentially included in the pool of Pawn Storm targets.

[Read: An In-depth Look at Pawn Storm Espionage Attacks]

The two spyware apps discovered by Trend Micro researchers snoop on iOS devices and behave similar to the SEDNIT malware—an unmistakable signature of Operation Pawn Storm. Looking back, SEDNIT or the Sofacy malware was found present across all the stages of the Pawn Storm operation and was also found in the attachments inside spear phishing emails that the operation used as an attack vector.

Both apps discovered are of the Xagent spyware strain, but only one of them hides under the name of the legitimate gaming app MadCap. Moreover, the bogus MadCap app reportedly works only on jailbroken devices.

These Xagent apps can gather text messages, contact lists, pictures, geo-location data, installed app list, process list, and Wi-Fi status found on the device. Most importantly, the Xagent apps can start voice recordings in the background without the device owners knowing. This makes any infected iOS device an ideal tool for listening to offline conversations, making it an especially useful spying method given that most bring their devices when going to meetings or talks.

[Read: Detailed technical analysis of the iOS apps for researchers]

Apart from the iOS app and spear phishing emails, Operation Pawn Storm was also big on using exploits and phishing sites as attack vectors.

How Xagent Spyware Apps Get on iOS Devices

The iOS platform is renowned for its walled garden approach to security, causing a misplaced consumer belief that these devices are untouchable by threats. Even so, threats like Masque and Wirelurker have established that iOS devices, both jailbroken and non-jailbroken ones, are not free from threats. 

[Read: Before Masque and WireLurker: iOS Threats That Cracked the Walled Garden]

XAgent spyware apps add another dimension to iOS threats yet again. The exact methods used to install this malware is still under investigation, but the following factors contribute to it:

  1. You are part of an organization that's being targeted

Threat actors tend to zoom into lucrative targets. In the case of Pawn Storm, those who work inside or with the US military, embassy, and defense contractors that are likely at risk.

  1. You still have iOS 7 installed.

Note that both these apps run perfectly on iOS devices that still have the iOS 7 version installed. They don’t run as well and can't load automatically on the new iOS 8 version. As such, it’s a problem that one-in-four iPhones and iPads still run on iOS 7. Often, the size requirement of the upgrade itself is a major deterrent that prevents users from upgrading to the latest OS version. Looking at the Android fragmentation problem, we have seen how this may not bode well for users.

  1. You might have clicked on a malware link sent on your mobile via ad-hoc or enterprise provisioning.

Ad-hoc provisioning is how app developers can send their apps to devices without going through the app store, and is used by iOS app developers to send out apps for testing to select users. Enterprises are also allowed to send out apps to their employees’ devices via enterprise provisioning.

Threat actors may use these as iOS-focused spamming mechanisms for spreading Xagent spyware apps. If you tend to click on social engineering lures, such as the one which downloads Xagent apps via the poisoned link that says, “Tap Here to Install the Application,” you’re likely to get infected. In this case, the Xagent apps have been found to be self-signed, and not enterprise- or developer-signed, and will only infect jailbroken devices. 

Evidence of Operation Pawn Storm has been traced as far back as 2007. These threat actors are adept at choosing the right mix of methods to get to what they want.

“Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get into target networks—exploits and data-stealing malware. SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection,” as noted in a detailed Operation Pawn Storm paper by forward-looking threat researchers.

Attacking iOS devices, which are known for their safety and are often used by high-income groups, is a development in the campaign that we will continue to watch out for.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Connect with us on