Malware + Security & Privacy + Security News

Don’t Jailbreak Your iPhone if You Want to Avoid the Cloud Atlas Malware

Posted on December 15th, 2014 by

Cloud Atlas
Cloud Atlas is the latest purported example of sophisticated state-sponsored malware, said to have snooped on diplomats, oil industry workers and the financial industry, intercepting communications and recording phone calls.

And iPhone and iPad users don't escape entirely unscathed.

According to detailed reports published by Blue Coat and Kaspersky, victims in Russia and other countries around the globe would be duped into opening documents and clicking on links—believing they were going to read an advert for an old diplomatic car or click on a link to an upgraded version of WhatsApp.

The devices which were probably most likely to have been affected by the malware attack, which exploited vulnerabilities in the Word Rich Text Format (RTF), were regular Windows computers, who might find themselves on the receiving end of decoy documents claiming to come from "Mrs World" (seemingly with words taken from a Russian news site), adverts for diesel engine parts or files called "Diplomatic Car for Sale.doc."

Diplomatic car ad

But the good news is that if you haven't jailbroken your iOS device, Cloud Atlas isn't likely to give you much cause for concern.

The simple truth can't be ignored that there is much much more malware for Windows and Android than there is for Macs and iPhones.

That doesn't mean, of course, that you can afford to be glib when it comes to protecting your Apple devices—but the majority of malware that is created is written for operating systems that weren't developed in Cupertino.

And the sophisticated Cloud Atlas malware (also called "Inception" by some security vendors, but detected by Intego products as iOS/CloudAtlas) infects Windows computers, BlackBerrys and Android devices, appears to be no different.

It can only exploit Apple's iOS iPhones and iPads if they have been jailbroken.

And, I have to wonder, is jailbreaking as popular today with iPhones and iPads as it was in the past? The addition of new features into iOS 8 (such as share extensions and custom keyboards) has surely chipped away at the attraction of cracking open the operating system and allowing apps from beyond the walled garden of the App Store to be installed.

None of this, of course, makes it any less attractive for a determine hacker (or a foreign government interested on spying on the secrets of others) from attempting to infect whatever brand of mobile phone their target might choose to carry. And that probably explains why security researchers found the iOS malware on the same server that was hosting the Android and BlackBerry trojans.

Blue Coat researchers observed that links to the mobile versions of the Cloud Atlas spyware would be distributed by bogus mailshots, such as this one claiming to be a new version of WhatsApp sent to a Paraguayan government email address:

Malicious email, pretending to be from WhatsApp

Once installed on a jailbroken iOS device, the malware can collect a wide variety of information and transmit it to an FTP account under the attackers' control.

None of this, though, will be successful if you left your iPhone or iPad in its factory state, and declined to jailbreak it to allow unvetted third-party apps to have free reign over your device.

The message is simple: You may have lots of reasons why you want to jailbreak your iPhone, but you are putting yourself at greater risk of compromise via government spyware.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • David A. Woodbury

    What precisely constitutes “jailbreaking”? An example, for instance.

    • Coyote

      Privilege escalation. I.e., breaking from its ‘jail’ (is a Unix concept). Basically rooting it (also Unix terminology). In other words, removing limitations and in this case what you’re able to install (etc.). root access is, all things considered, complete access (of course there could be further protections but that’s another issue entirely).

  • Jason Yeaman

    what are the mechanics behind this malware being installed on a jailbroken handset vs one that has not been jailbroken?

    the author seems to have skipped over that part.

    • Coyote

      Jailbreak is how you install software that isn’t directly from Apple’s app repository, right? I mean isn’t there that limitation? If so, that would answer it. The idea is while you have more power (obviously given you escape the jail) you also have more risks. I’m using a computer analogy because I only have an interest in phones that use copper (or otherwise not mobile) but the idea is similar (the idea does not necessarily imply malware but rather if you loosen the chains on something then whatever could be stopped by the chains, is now not stopped): if you’re logged in as, say, ‘jason’, then if some program (whatever it is, doesn’t have to be malware) or even you make a mistake, it can only affect what you (as jason) has the ability to do. I guess (and this is only a guess – I don’t know for sure) that there isn’t a concept of users in phones. If that is the case, then imagine it: when you have the restrictions removed, that means your entire device is not restricted (in whichever ways the jail restricts).

      This bit: “None of this, though, will be successful if you left your iPhone or iPad
      in its factory state, and declined to jailbreak it to allow unvetted
      third-party apps to have free reign over your device.” makes me think that indeed this is the case. There’s other bits of information in it too, that hint at (and I would argue directly state it except that if I don’t know for 100% then I will make that known, not try to claim possibilities as supposed facts).

    • Rich S.

      If jailbroken you can install programs from other than the Apple Store.

      This protection can be disabled in OSX and I believe in IOS without jailbreaking.

      Android has a similar setting in Settings-Security-Unknown Sources so apps from other than Google Play and other “known” sources can be installed.

      • Frank Lazar

        Wrong. That’s the big difference in IOS, you can not install software except from the App Store unless you use a program on a desktop computer to jailbreak the phone. There is no option to allow software to be installed from other sources unless you smash Apple’s barrier first.

  • Rich S.

    Cloud Atlas can only get on a device by “social engineering” or in other words by exploiting the curiosity, stupidity and obliviousness of people. Needs some of all 3.

    What’s interesting (to me) is that unlike IOS rooting/jailbreaking your Android device and using a custom ROM allows you MORE privacy and freedom from adverts.

    If IOS devices were open source I think it would be the same for them.

    Supposedly Android can’t get a virus but is susceptible to other mal-ware. Give it time.
    I bet we’ll see that change.

    For now I use Pac-Man Rom 4.4.4 with the Privacy Guard activated and AdAway installed and no Google apps except Translate, Search/Voice and TTS.

    Privacy Guard blocks all apps, unless specifically allowed, from accessing various data in a granular choice interface.
    So even if Cloud Atlas got on my Android device it would not get any personal data and because of Android’s memory management and install system could be quickly eliminated.
    On a different topic. Feel free to skip to the bottom.

    Yes, I know Search/Voice and Translate sends my queries to it’s servers.
    I accept that for the added performance.
    Perfect privacy?
    Nope, but probably as good as possible in these days of government and corporate spying.

    I can always use my VPN, Tor, proxies and a couple of other techniques stacked multiple times to make searches if I really care, but since I’m not doing anything immoral or which is illegal in my country it’s not worth the bother.
    Back to Apple and Cloud Atlas.
    Apple has done a pretty good job of protecting people against themselves in IOS8 and as I have said for years Apple is for people with more dollars than cents.
    (Say it out loud substituting money for dollars).
    Actually people who know nothing about computers and are willing to give up liberty for the false sense of security are probably better off paying the inflated prices demanded by Apple.

    “No one ever went broke underestimating the intelligence of the American public”
    Corrupted over time and attributed to H.L. Mencken.

    Actually written: “No one in this world, so far as I know — and I have searched the records for years, and employed agents to help me —
    has ever lost money by underestimating the intelligence of the great masses of the plain people.
    Nor has anyone ever lost public office

    “The mistake that is made always runs the other way.
    Because the plain people are able to speak and understand, and even, in many cases, to read and write, it is assumed that they have ideas in their heads, and an appetite for more.
    This assumption is a folly.”

    H.L Mencken was a contemporary and to some extent a competitor of Samuel Clemens AKA Mark Twain

    Unfortunately it’s truer than ever today.

  • Coyote

    You’re right: I would agree. Understand this part of my post:
    I guess (and this is only a guess – I don’t know for sure)
    … means exactly as such: the last time I truly cared about phones (that weren’t at home like rotary or even touch-tone) were the COCOT (customer-owned coin-operated telephones i.e. payphones). I was getting at the concept: that if you don’t have individual users and now your device is free of any restrictions, if the less restrictions also includes installing software, then it applies across the phone. But as for how this specific malware infects? I don’t know – I would have to look in to the malware itself. There exists two thoughts in my mind, one being multiple attack vectors and the other being indirectly (which might indeed be the case here):

    Microsoft has been in trouble more than once because they allowed images to hold executable code. This means that a malicious image could run instructions that do any number of things. I seem to think (I don’t have access to windows without booting a VM) that rft also allows this and certainly it allows embedding images (or otherwise resources). So that is one possibility. The other is that rft is only part of it – that it attacks that way as well as others (I think more likely the former would be the case – guessing without looking at it – but even the latter is something to consider (because indeed attacks are not bound to one vector but many (which is why some can attack multiple systems))).