Malware + Security News

Hackers Target iOS-Using Government Officials and Journalists in Pawn Storm Malware Attack

Posted on February 4th, 2015 by

Pawn StormLast October, security researchers released detailed reports about how a criminal hacking gang, possibly backed by a foreign state, was targeting Western governments, military and the media in an operation called "Pawn Storm."

The hackers' aim, it was claimed, was to steal information and compromise the Windows computers of targets. And, when you consider that there has been strong speculation that the attack might be being sponsored by the Russian authorities, the list of targets begins to make sense.

Through boobytrapped website attacks—which would silently exploit vulnerabilities and install malware—the hackers ingeniously only hacked likely targets by testing details of the visiting computer (operating system version, language settings, time zone, etc) before attempting infection.

These infections, you will note, were against Windows computers. So, why are we talking about it on the Intego Mac Security blog?

Well, further research has revealed that the Pawn Storm spyware campaign is now also targeting iPhones and iPads.

According to researchers, once a high profile target's Windows computer has been successfully infected, the attackers "move their next pawn forward" and attempt to install iOS malware.

The important thing to note at this point is that targeted iPhones and iPads do not have to be jailbroken, to be at risk of having the malware installed onto them.

Instead, social engineering is used to trick the user into installing a malicious app onto their iOS device using the ad-hoc provisioning feature that Apple provides for developers who wish to get beta software to testers:

We have seen one instance wherein a lure involving XAgent simply says "Tap Here to Install the Application." The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking on a link, such as in the picture below. The link will lead to https://www.{BLOCKED}/adhoc/XAgent.plist, a service that installs applications wirelessly.

Tap to install

It is also possible that malware could be installed onto iOS devices after they have been connected to a compromised Windows computer via a USB cable.

Like Sednit, the malware found on Windows computers, the attacks against iOS devices appear to be designed to steal personal information—accessing files, listening to conversations, taking screenshots, reading text messages, collecting information on what WiFi networks are connected to, etc, and exfiltrating data back to a command & control server.

Security researchers report that after being installed on iOS 7, the XAgent malware, completely hides itself and runs in the background. If its process is killed, it restarts almost immediately.

On iOS 8, however, its icon is not correctly hidden and it fails to restart properly. One has to wonder if this is because the malware seen so far was created before the release of iOS 8 in September 2014, and whether newer, more compatible versions are now being used in attacks.

As always, if you feel that your organisation may be at risk, be sure to remind your users to be on their guard against unusual communications, and to be extremely wary of any messages encouraging them to install apps onto their devices.

Ensure that you are running up-to-date software on your gateways, and on your desktops and laptops, to reduce the chances of a hack being successful.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • SoSibOcestBon

    This answers my query. I have long suspected that OSX was more secure than windows because it was a smaller target and only partly it’s less familiar security structure : in fact it’s the same thing. Had the Macintosh opened its architecture in the generic franchise as had the 86 or IBM had done it seems highly unlikely to be associated with the epithet of a ‘secure’ system. In a reversal of fortunes expensive PCs with 2% of the market would revel in the prized epithet as Apple’s past and present product do now. I agree with Mr Cluley that after a long cat and mouse game involving Microsoft and hackers dragging on the challenge for hackers seeking more than the humdrum war against a large and ungainly enemy was to turn their destructive talents to a more eloquent OS. With a more marriageable cpu architecture than existed with original Apple hardware and software new exploits were no longer so daunting ( if they ever deserved to be! ). All Apple devices are now fully in range of attack. Yet there is a bright spot of logic : if Apple has been keeping a close watch over the last two decades it can mount a defense Microsoft can only dream of. This does depend on the wisdom of its security advisors and implementers . Arrogance and a narrow minded ( nay dishonest) array of marketing ploys would be bad for us all.