Pawn Storm Spyware Hits Non-Jailbroken iOS Devices

Written by

Security researchers have discovered two new malicious iOS apps which can infect even non-jailbroken devices and are being used to spy on targets as part of an ongoing cyber-espionage campaign.

The spyware in question is related to the SEDNIT malware family and has been designed to steal texts, contact lists, pictures and geo-location data; record audio; make screenshots; and send it all to a remote C&C server which is still live, according to Trend Micro.

The security vendor discovered the two malicious apps as part of its ongoing research into Operation Pawn Storm – an APT-style campaign linked to the Russian government targeted at European defense, government and media organizations.

“We found two malicious iOS applications in Operation Pawn Storm,” wrote a trio of Trend Micro researchers in a blog post. “One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B).”

XAgent is described as “fully functional malware” which hides itself once downloaded to an iOS 7 device and restarts immediately if the user tries to terminate the process. However, it’s not able to do either on iOS 8 devices, Trend Micro said.

The code structure of the malware is described as “very organized, carefully maintained and consistently updated.”

The researchers added:

“The exact methods of installing these malware is unknown. However, we do know that the iOS device doesn’t have to be jailbroken per se. We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking on a link, such as in the picture below. The link will lead to https://www.{BLOCKED}/adhoc/XAgent.plist, a service that installs applications wirelessly.”

The malware could also be spread via USB after connecting an iOS device to an infected Windows machine, the researchers speculate.

Operation Pawn Storm was first revealed last October and is suspected of being connected in some way to the Russia-Ukraine conflict.

What’s hot on Infosecurity Magazine?