Exodus iOS Surveillance Software Masqueraded as Legit Apps

Italian firm appears to have developed spyware for lawful intercept purposes, Lookout says.

Researchers at mobile security firm Lookout have discovered iOS versions of a spyware tool that an Italian video surveillance company appears to have designed for so-called lawful intercept purposes by governments.
Non-profit white hat hacker collective Security Without Borders last month had reported discovering several Android versions of the same malware uploaded to Play Store, Googles official mobile app store.
Google removed those apps—which were disguised as service apps from Italian mobile operators—after the company was notified of the problem. Security Without Borders has estimated the total number of infections to be in the high hundreds to potentially one thousand or more.
The iOS version of Exodus, as the malware is called, can steal a range of data from infected systems. Examples include contact information, audio recordings, photos, videos, GPS location information and any other data that can be accessed via an infected devices iOS APIs, says Christoph Hebeisen, senior manager of security intelligence at Lookout. The malware is also capable of doing remote audio recording.
Even so, the iOS versions are not as sophisticated as the Android malware he says. The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs, Hebeisen says. In contrast, the Android version has full root access to the device. So it is capable of accessing and exfiltrating screen shots, text messages, browser histories, call logs, data from third-party messaging apps such as WhatsApp and Telegram and other data as well. Exodus for Android is also designed to keep running even when the screen is switched off.
Both
Security Without Borders
and Lookout believe the software is the work of eSurv, an Italian firm ostensibly focused on video surveillance software and image recognition systems. According to Security Without Borders, eSurv has been developing the spyware since at least 2016.
Several aspects of eSurvs operations suggest the company is well funded and has designed the software for use by law enforcement and other entities to conduct offensive surveillance on people, according to Lookout. Tell-tale signs include the use of certificate pinning and public key encryption for command-and-control purposes and the use of geo-restrictions to ensure the malware is used only in specific geographies.
This is the second instance in the past 18 months where an Italian software firm has been caught quietly distributing surveillance software.
In January 2018, security vendor Kaspersky Lab
reported
on another Italian firm using spoofed web pages to distribute Skygofree, an extremely sophisticated Android spying tool. Kasperksy Lab described the malware as a data-stealer capable of supporting up to 48 different remote commands and controllable via SMS messages, HTTP, and FireBaseCloudMessaging Services. Like Exodus, Skygofree too had a feature that allowed the app to keep running even when other apps are suspended—or put into battery-saving mode.
The iOS version of Exodus is being distributed via phishing sites. To make that possible, the operators of the spyware appear to have abused Apples Developer Enterprise Program, a provisioning mechanism that allows enterprises to distribute proprietary in-house iOS apps to employees without having to use Apples mobile app store.
Apple’s Enterprise Developer program is not involved in the download, Hebeisen notes. eSurv was approved for the Apple Developer Enterprise program, which allowed them to sign the apps with a legitimate-looking enterprise certificate, he notes. Apple has since revoked the certificates that eSurv was using to digitally sign its software.
There is no indication that eSurv ever attempted to upload the signed iOS malware to Apples app store. Instead they hosted the spyware on phishing sites that were designed to appear as mobile carrier sites. Hebeisen says Lookout is presently unsure what lures eSurv is using to direct victims to the phishing websites.
Exodus for iOS executes when a user downloads and launches the app. The malware sets up multiple timers for gathering and uploading specific data on a periodic basis. The data is then queued and transferred to the command-and-control server. The C2 infrastructure that eSurv is using for the iOS version of Exodus is the same as the one being used for the Android version.
Lookout says it does not know potentially how many iOS users might have downloaded Exodus on their systems. All of the telemetry that Lookout has gathered shows the attacks are focused purely on Italian IP addresses. So, the risk to US users is negligible, Hebeisen says.
Its unclear whether eSurv was collecting, or planning to collect mobile data, on any entitys behalf. But there are several companies vying for market share in what some say is a growing market for lawful intercept tools. A recent report from
Allied Market Research
estimated demand for such tools from governments and law enforcement agencies to top $3.3 billion by 2022. New rules and standards by governments seeking to fight technology-enabled crime are driving a lot of the demand, Allied Market Research said.
Related Content:
Kaspersky Lab Warns of Extremely Sophisticated Android Spyware Tool
What Can We Learn from Counterterrorism and National Security Efforts
?
Whose Line Is It? When Voice Phishing Attacks Get Sneaky
2019 Attacker Playbook

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Exodus iOS Surveillance Software Masqueraded as Legit Apps