A new malware has been uncovered by Trend Micro as a part of an ongoing investigation pertaining to Operation Pawn Storm: a cyber-espionage campaign with political and economic targets. It is designed to steal personal information from iOS 8 and iOS 7 devices, which are running on 97 percent of iDevices around the globe. The malware injects iOS devices to collect things like images, text messages, contact-lists, geo-location data, and more.
“We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems,” the source stated in a blog post.
The firm discovered two malicious iOS applications in the ongoing campaign. It dubbed one as XAgent and the other one was named after a legitimate iOS game, MadCap. After detailed analysis, both apps were concluded to be associated with SEDNIT.
XAgent can also perform voice recording, get the user’s WiFi Status as well as a list of installed processes and apps. What’s worrying about this malware is that it works on non-jailbroken iDevices. Madcap only performs audio recording and requires a jailbroken iDevice.
XAgent is also thought to have been created before the release of iOS 8, as it works better on devices running iOS 7 firmware. After it’s installed on a device with iOS 7, the icon of the app is hidden and immediately starts running in the background. When a user tries to terminate it by killing the process for the app, it restarts immediately.
However, on iOS 8 devices, the malware has a different result. The app can’t restart automatically and the icon is not hidden. The malware is installed by tricking iOS users into tapping a link stating ‘tap here to install the app’ link. Later, the ad-hoc provisioning, designed to enable developers to beta-test their apps, comes into play.
The other means of the malware getting installed is via the USB cable connected to a Windows PC that has been compromised.
What can you do as an iOS user?
iOS users will see multiple notifications when the phone tries to install an app, so you need to launch the XAgent app before it causes any damage. Now that you know the adverse capabilities of the application, just avoid installing it on your iDevice.
iOS 7 users have difficulty spotting the download as the app gets installed itself and the app icon doesn’t show in the background. Their best defense against the attack is to avoid clicking on any suspicious links that prompt app download. It’s also best to avoid installing an app form a third-party pop up web page; some popups can display attractive app titles crafted by adversaries.
Reading a description about an app and user reviews may also help prevent malware installation. iOS may show an alert ‘untrusted app developer’ for suspicious apps.
Lastly, both iOS 7 and iOS 8 users need to install an anti-malware solution on their devices. Such a solution will be able to scan your firmware to detect malicious processes running in the background as well as back up your critical data to cloud servers. The latter will be important in case the malware is able to skip detection and starts deleting files after data collection.