Novel malware attack used mobile device management

Security researchers have made public a malware campaign that used enterprise mobile device management servers to gain total control of Apple iPhones in order to intercept and steal data from users.

Cisco's Talos security division discovered the novel attack which it said was highly targeted, striking only 13 iPhones in India.

The attacker had somehow managed to enroll the iPhones with two open source iOS MDM servers, which provided full control of the devices.

Once the devices were enrolled with the MDM server, a dynamic link library was injected into apps such as WhatsApp and Telegram on the iPhones.

Five malicious applications deployed by the attacker were used to test the functionality of the device, stealing SMS contents, exfiltrating data and sending location information.

The security researchers were not able to ascertain how the attacker had enrolled the devices onto the MDM server, a multi-stage process that requires user interaction to install digital certificates.

Enrollment could be achieved with physical device access, but Talos suspect it took place through social engineering, where users are tricked to accept malicious code being installed on their iPhones and click through prompts.

Installing certificates of unknown provenance could be very dangerous for users, Talos warned.

"By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this.

Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device and passwords, Talos stressed.

This must be done with great care in order to avoid security issues and should not be something the average home user does," the researchers wrote.

Talso notified Apple which has revoked the five digital certificates used by the attacker, whom the researchers believe is India-based despite using Russian email addresses.