First seen on the Google Play Store in over 20 apps, Exodus was able to obtain root-level access and steal device information of infected Android devices. It is believed that Exodus was created by an Italian app developing company by the name of Connexxa, which has ties to the Italian government. The spyware is now targeting Apple users by posing as legitimate applications. Phishing sites that portray themselves as Turkmenistan and Italian mobile carriers contain the sample. Apps that are infected with Exodus use authentic Apple certificates to make them go under the radar. Victims were even able to install the apps from outside the App Store. The iOS variant can steal contacts, photos, videos, audio notes, and GPS information. Additionally, attackers can also enable audio recording at any time on a device that has been infected. Although this version of Exodus is not as intrusive as the variant found infecting Android devices, it does not mean its capabilities can’t change. Apple has since revoked the certificates that were used to legitimize the malicious apps.
Analyst Notes
Users are suggested to always read reviews of apps online to verify the legitimacy of them. Apps that aren’t used regularly or for specific reasons should be deleted off of the device. Relying on Apple as a means of detecting these malicious apps is not advised. Users may want to add app shielding platforms as an extra layer of detecting suspicious apps.
