An attacker has used an open-source mobile device management (MDM) system to target iPhones in India.
Although the number of devices compromised so far is small (13), the highly targeted campaign is unusual given it uses MDM to control and enroll victim devices.
MDM is typically used by enterprises as a trusted tool to manage employee smart phones to ensure devices are properly secured (e.g., hardened with pass codes, not jail broken, OS up to date, etc.).
Cisco’s Talos security group describes the malicious MDM threat:
“The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.”
It is not known how the attacker gained access to the phones, but Talos surmised that it was likely social engineering as potential cause.
Talos also has been working closely with Apple to address the threat. Apple actioned 5 certificates associated to the bad actor, two of them shortly after being contacted by Talos.
The malicious MDM was used to distribute five malicious apps — two that test the functionality of the device, one that steals SMS message contents, and the other two can exfiltrate data and report on the device location.
Talos reminds users to not install untrusted apps or certs:
“By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this. Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc.”
Users should also think twice about clicking on suspicious links or messages asking to confirm credentials.