Posted on April 9, 2019 at 4:53 PM
SwB and Lookout find Android and iOS malware that was originally created for governments, arousing suspicions that it could be targetted intelligence attack.
Researchers from Security without Borders first found the malware and gave it the name “Exodus”. The installer package was bundled with Android Package (APK) files on well-known phishing sites. That wasn’t the worst of it, as Exodus was later found in a number of apps that were on the Google Play Store. Meanwhile, mobile security firm Lookout found that there were iOS versions of Exodus in the wild as well.
Italian Spyware catching on
Exodus was programmed by an Italian company called eSurv, according to both Security without Borders and Lookout. The Italian security company is known to the public for its video surveillance software and optical recognition systems. According to Security without Borders though, the Italian company has been developing Exodus since 2016 at least.
The Italian company is seen to be an amply financed operation. Lookout says that this funding is for surveillance software that is used by law enforcement and similar entities for offensive reasons. The malware has certain small signs that it is used for these purposes. They note that certificate pinning is one of these signs. Another is the public key encryption for command-and-control (CNC) purposes. There is also the geo-restrictions to only enable the software to work in jurisdictions where the law enforcement agency has rights.
There has been another Italian firm in the news in the last 18 months. Kaspersky rung the bell on Skygofree. Skygofree is an extremely complex spying tool for use on Android phones. The firm was found to be using spoofed webpages to distribute the spyware. Skygofree steals data and has over 48 different remote commands that it can execute. The software can be controlled via text messages as well as HTTP and FireBase cloud messaging. It was similar to Exodus, as it had code that let it keep running even when other apps were suspended. It would continue running despite the phone being in low power mode.
How Exodus works
Exodus works in three phases. The first phase is data collection from within the infected app. It would take your phone number, IMEI number and other relevant details. This was then sent to a CNC server that would then send various binary packages to the phone and track the locations of the phone.
The third phase of the attack would be utilizing a Linux exploit called DirtyCOW. This exploit grants the attacker root access. Once an attacker has root access, they can basically do anything they want with your device. However, this vulnerability was patched by Google in the Android ecosystem. This patch has not been useful on Android phones since 2016, which gives a timeline of how lold this software was and how long it has been used for. The flaw has been part of the Linux ecosystem since 2007.
Numbers are suspicious
The number of people that are supposedly infected range from hundreds to maybe just one thousand. Software like this would be able to infect far more devices if it was used as a broad-based tool. This has lead the two security firms, SwB and Lookout, to believe that it was a targetted attack only for selected people. The program was found on very specific websites and would not be found by the average viewer.
It is the number,s the sites where the software was distributed and the manner of the attack that leads industry insiders to believe that this was a covert intelligence gathering operation.