Spyware Exodus, there is also a variant for iOS
Unearthed by security researchers Lookout, spyware was distributed outside the App Store by abusing enterprise certificates issued by Apple.
The security researchers of the company Lookout have discovered that a version of the Exodus spyware, originally intended for Android devices, has also targeted iOS devices after its developers – apparently the Italian company eSurv/Connexxa – have abused certificates that Apple issues for internal use of iOS apps.
It is an app disguised as a telephone assistance utility and which, once installed, can collect indiscriminately contacts, audio recordings, photos, videos and other information, including real-time geographical coordinates, as well as the possibility of being remotely activated to listen to telephone conversations.
Exodus has hit hundreds of users with its extensive spying capabilities and the ability to download an additional exploit that allows you to obtain the device’s root privileges, giving almost complete access to all information on the device on which it is installed.
According to information disclosed by researchers, both apps make use of the same backend infrastructure but the iOS version uses some techniques to make it difficult to analyze network traffic. According to the researchers, this would be a clue suggesting that there is a group of professionals behind the scenes.
The Android version was freely available on the Google Play Store, while the iOS version was distributed without going through the App Store as it would have ended up in Apple’s control. So how was it possible to distribute an app for iOS that worked without using the traditional channel?
The researchers explain that, as mentioned above, the spyware developers have exploited the enterprise certificates that Apple issues to developers and whose use is strictly internal and not for apps to be distributed to the public.
After the researchers disclosed their findings, Apple revoked the certificates, thus putting the eSurv/Connexxa apps distributed with this trick out of action. Given that the app has not been distributed via the App Store but only through websites disguised as those of cell phone operators it is not clear what the extent of the problem may be, which can be assumed to be relatively limited.