Malware + Security News

Hackers Target iOS-Using Government Officials and Journalists in Pawn Storm Malware Attack

Posted on by

Pawn StormLast October, security researchers released detailed reports about how a criminal hacking gang, possibly backed by a foreign state, was targeting Western governments, military and the media in an operation called “Pawn Storm.”

The hackers’ aim, it was claimed, was to steal information and compromise the Windows computers of targets. And, when you consider that there has been strong speculation that the attack might be being sponsored by the Russian authorities, the list of targets begins to make sense.

Through boobytrapped website attacks—which would silently exploit vulnerabilities and install malware—the hackers ingeniously only hacked likely targets by testing details of the visiting computer (operating system version, language settings, time zone, etc) before attempting infection.

These infections, you will note, were against Windows computers. So, why are we talking about it on the Intego Mac Security blog?

Well, further research has revealed that the Pawn Storm spyware campaign is now also targeting iPhones and iPads.

According to researchers, once a high profile target’s Windows computer has been successfully infected, the attackers “move their next pawn forward” and attempt to install iOS malware.

The important thing to note at this point is that targeted iPhones and iPads do not have to be jailbroken, to be at risk of having the malware installed onto them.

Instead, social engineering is used to trick the user into installing a malicious app onto their iOS device using the ad-hoc provisioning feature that Apple provides for developers who wish to get beta software to testers:

We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking on a link, such as in the picture below. The link will lead to https://www.{BLOCKED}/adhoc/XAgent.plist, a service that installs applications wirelessly.

Tap to install

It is also possible that malware could be installed onto iOS devices after they have been connected to a compromised Windows computer via a USB cable.

Like Sednit, the malware found on Windows computers, the attacks against iOS devices appear to be designed to steal personal information—accessing files, listening to conversations, taking screenshots, reading text messages, collecting information on what WiFi networks are connected to, etc, and exfiltrating data back to a command & control server.

Security researchers report that after being installed on iOS 7, the XAgent malware, completely hides itself and runs in the background. If its process is killed, it restarts almost immediately.

On iOS 8, however, its icon is not correctly hidden and it fails to restart properly. One has to wonder if this is because the malware seen so far was created before the release of iOS 8 in September 2014, and whether newer, more compatible versions are now being used in attacks.

As always, if you feel that your organization may be at risk, be sure to remind your users to be on their guard against unusual communications, and to be extremely wary of any messages encouraging them to install apps onto their devices.

Ensure that you are running up-to-date software on your gateways, and on your desktops and laptops, to reduce the chances of a hack being successful.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →