The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Mobile Attack Campaign Used MDM to Intercept Traffic

by Dennis Fisher on Wednesday July 18, 2018

Contact Us
Free Demo
Chat

Researchers recently discovered a narrowly focused attack that targets iPhone users with data-stealing, location tracking malware.

Security researchers have uncovered a narrowly targeted attack campaign that used a malicious mobile device management (MDM) system to sideload compromised versions of messaging apps and intercept traffic flowing through the targeted devices.

The campaign includes a number of different components, most importantly several untrusted digital certificates, the MDM server itself, and the replacement versions of popular apps such as Telegram and WhatsApp. Researchers from Cisco’s Talos team discovered the campaign recently and found that it affected 13 users in India. The researchers are unclear how the attacker managed to enroll the devices in the MDM system, but speculate that it likely involved some combination of physical access to the devices and social engineering.

MDM systems are used in enterprises and other organizations to manage some of the functionality of phones and tablets. Organizations often will restrict which apps users can install on managed devices and may require devices to be on the latest operating system version in order to access corporate resources. In the campaign the Talos researchers discovered, the attackers were able to get the targeted users to install their untrusted certificates on the targeted devices and then enroll in the MDM service, a process that required several separate user interactions. Once that was done, the attackers then used a special method to sideload their own malicious versions of Telegram, WhatsApp, and other apps onto the devices, replacing the legitimate versions that were already installed.

This gave the attackers access to the messages going in and out of the apps, which normally are encrypted.

Blog Post

Apple Cracking Down on Apps That Share Location Data With Third Parties

“The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery,” Talos researchers Warren Mercer, Paul Rascagneres, and Andrew Williams wrote in a post on the operation.

“This gives the attacker a significant level of control over the victim device(s). This process is used similarly to a large-scale enterprise using MDM solutions. It is likely that the user is advised that the certificate must be installed to allow enrollment. This is most likely performed via a social engineering mechanism, i.e. a fake tech support-style call.”

The attackers used a domain that looked somewhat legitimate and included iOS in the domain name, a way to give victims a level of comfort. The certificates used in the attack include email addresses in Russia, which the Talos team theorized is likely a feint, as all of the victims in this operation are in India. Once the attackers had a device enrolled in the MDM system, they installed several different apps, one of which was basically a benign app to test the sideloading injection technique.

“The compromised versions of the Telegram and WhatsApp applications used in this campaign are more interesting and relevant. They first contain the same malicious code. The purpose is to send collected data to a C2 server located at hxxp[:]//techwach[.]com,” the Talos team said.

Although this campaign only hit a small number of victims, it was going on for several years and the C2 server used in the operation has been online since August 2015.

Tags: Mobile Security, Malware

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.