iOS users in India linked to a highly targeted mobile malware campaign.
About a weeks ago, India has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.
As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.
Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.
These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.
During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries. These are designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.
- Ios-update-whatsapp[.]com (new)
Possible Connections with “Bahamut Hacking Group”
Besides this, researchers also found some potential similarities that link this campaign with an old hacking group, dubbed “Bahamut”. “Bahamut” is an advanced threat actor who was previously targeting Android devices using similar MDM technique as used in the latest iOS malware campaign.
The newly identified MDM infrastructure targeted two Indian devices and one located in Qatar with a British phone number. This was created in January 2018, and used from January to March of this year.
According to the researchers, Bahamut also targeted similar Qatar-based individuals during their Android malware campaign, as detailed by Bellingcat.
Apart from distributing modified Telegram and WhatsApp apps with malicious functionalities, the newly-identified server also distributes modified versions of Safari browser and IMO video chatting app to steal more personal information on victims.
Attackers Using Malicious Safari Browser to Steal Login Credentials
According to the researchers, the malicious Safari browser has been pre-configured. It means that it will automatically exfiltrate the username and the password of the users for a variety of other web services like Yahoo, Rediff, Amazon, Google, Reddit, Baidu, ProtonMail, Zoho, Tutanota and more.
The malicious browser contains three malicious plugins—Add Bookmark, Add To Favourites, and Add to Reading List—just like the other apps, send stolen data to a remote attacker-controlled server.
At this time, it’s unclear who is behind the campaign? Who was targeted in the campaign? And what were the motives behind the attack? But the technical elements suggest the attackers are operating from India, and are well-funded.
Researchers said that those infected with this kind of malware need to enroll their devices, which means “they should be on the lookout at all times to avoid accidental enrollment.”
The best way to avoid being a victim of such attacks is to always download apps from the official app store.