An iPhone malware campaign has been tricking users to download an MDM software package. The campaign has been active since August 2015 and has infected 13 users in India. If infected, the malware can hijack sensitive information such as the user’s cell phone number, location, serial number, SMS, photos, and WhatsApp and Telegram chat messages. The malware successfully infected users with a range of iPhone models and iOS versions 10.2.1 to 11.2.6. The attackers gain control using an MDM package, which if successful, allows the attacker to gain full control of the device. It is unsure how the attackers are able to gain such extensive permissions; however, it is believed that a great deal of social engineering is required for the attack to be successful. Two different MDM services have been seen in the attack which enable system-level control of multiple devices from a single location. The second allows the attacker to install, remove, and exfiltrate data from apps. Researchers claim, “one method of stealing data comes via malicious versions of messaging services like Telegram and WhatsApp being pushed onto the compromised device via fake updates.” These malicious apps use a side-loading technique which allows the attacker to execute code, seek for further permissions, and steal information from the legitimate apps. A false flag has also been seen, which was used in September 2017 and contained a Russian email address. This is believed to be an effort to divert attention away from the attackers. It is unclear who the attackers are, but users are urged to always be cautious when granting permissions on their mobile device.
