A malware campaign targeting European defense organizations, governments, and media organizations first detected on Windows computers late last year has now spread to iOS devices, according to a report by security researchers at TrendLabs. The spyware campaign, called “Operation Pawn Storm,” has been linked by some researchers to the Russian government, beginning as tensions between Europe and Russia rose over the crisis in Ukraine.
Pawn Storm began with “spear phishing” attacks and targeted Web attacks from fake Outlook webmail pages and “typo-squatting” websites that used site names close to those of legitimate sites. Now, the attack has spread to Apple iOS devices—without having to jailbreak them. “We have seen one instance wherein a lure involving XAgent”—one of the two malware components discovered so far—”simply says ‘Tap Here to Install the Application,'” the researchers reported. The “lure” website then delivers the malware via Apple’s ad-hoc provisioning feature for developers. A .plist file on the remote server will install the application over broadband or Wi-Fi. The user would have to click through a dialog to approve the installation, requiring a higher level of social engineering than most phishing attacks.
Once installed, the XAgent malware connects to a command and control (C&C) server and uploads data from the device, including text messages, contact lists, pictures, Wi-Fi status and Wi-Fi networks connected to, installed apps, and running processes. The malware can also take photos, capture screen grabs, start voice recording, and collect location data on the device. However, it appears the malware was written for iOS 7, and it is unable to hide itself or automatically restart itself on iOS 8 devices. The second malware agent, which is disguised as a game called “MadCap,” is focused on recording audio and only works on jailbroken devices.