Researchers find phishing sites distributing the iOS version of Exodus Android spyware

Exodus is thought to be linked to eSurv, a business unit of Connexxa - currently under investigation by Italian authorities

Researchers from cyber-security firm Lookout have spotted some phishing sites distributing an iOS version of the Exodus Android spyware.

The Android version of this 'surveillanceware' was first discovered a few months back in the official Google Play Store.

According to the researchers, the iOS version of the spyware is less sophisticated than its Android counterpart and has not yet been distributed via the official Apple App Store.

Technical details indicated that the software was likely the product of a well-funded development effort

Exodus is thought to be linked to eSurv, a business unit of Italian company Connexxa, which advertises products like surveillance drones and CCTV management systems. It is currently under investigation by Italian authorities.

"Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market," Lookout researchers wrote in a post.

"These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well implemented suite of surveillance features."

Once installed on a device, Exodus can secretly extract audio recordings, videos, photographs, contacts, and other confidential information from the smartphone. It can also be remotely triggered to listen to conversations through the microphone.

According to researchers, they found some fake sites imitating the websites of mobile carriers in Turkmenistan and Italy -TMCell and Wind Tre SpA, respectively, to distribute the malicious app.

The pages of these websites lead victims to the Google Play Store or an Apple workflow for downloading the enterprise apps.

Researchers also found that the app was signed with an enterprise certificate issued to Connexxa by Apple. The certificate enabled Connexxa to bypass Apple's stringent app store checks.

On Android OS, the spyware gains access to victim's device in three phases. First, it establishes a foothold; then it installs a larger second stage payload with multiple binaries (to set up the surveillance capabilities). Finally, the spyware uses the DirtyCOW exploit to gain access to the device root.

Researchers found that the iOS version of the spyware does not count on exploits to gain access. Instead, it waits for the users to make a mistake and to give permission for the app to execute its surveillance tools.

According to researchers, Google has already removed nearly 25 variants of this spyware from Google Play Store.

The research team will present their findings on the iOS version of Exodus at the Kaspersky Security Analyst Summit in Singapore this week.

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.