First discovered by mobile security company Lookout, researchers said that the app’s developer abused their Apple-issued enterprise certificates to circumnavigate the app store to infect unwitting users, adding that it appeared to be a ‘well-funded’ endeavour.
Posing as a carrier assistant app, once installed on the device, the app can quietly nab a victim’s contacts, audio recordings, photos, videos, real-time location data and other phone information.
According to the researchers, the app was served from fake sites pretending to be a cell carrier in Italy and Turkmenistan. They were also able to link the app to makers of a surveillance Android app made by Connexx, which is known to be used by the Italian authorities.
Recommended: Cisco Uncovers 74 Cybercrime Groups on Facebook
Exodus, the Android version of the app, infected hundreds of victims after it was installed on their devices. According to a report published by Security Without Borders, the app had almost complete access to the device’s data, including emails, cellular data, WiFi passwords and more.
Adam Bauer, Lookout’s senior staff security intelligence engineer told TechCrunch that both apps used the same backend infrastructure, while the iOS app used several techniques, such as certificate pinning, to make it hard to analyse the network traffic.
“This is one of the indicators that a professional group was responsible for the software,” he said.
Although the Android app was easily downloadable from Google’s app store, the iOS version was not. Bauer asserted that to bypass Apple’s rigorous app store checks, the developers signed the app with an enterprise certificate issued to the developer by Apple but used it for unauthorised purposes in violation of the company’s policies.
The iOS version of the app was dependent on Apple-provided APIs, therefore users were provided with some form of alert that their sensitive data was being tracked.
For example, the first time the app tried to access the device’s location data, an infected phone would have displayed a dialogue box asking for permission to do so.
After Lookout reported its findings to Apple, the store revoked the enterprise certificate, which means the apps are prevented from being installed on new devices and the ones already installed can no longer run on infected phones.