How iPhones Are Being Turned Into Nasty Spyphones

Over the past two years, numerous reports have streamed out of security vendors warning about threats affecting Android devices, with almost no attention paid to iOS attacks. It has been assumed attackers are focusing on Android due to its more open nature, avoiding iOS because of Apple’s locked down security model.

But various security researchers and fresh data, exclusively revealed to TechWeekEurope, may challenge that assumption. Whilst Apple has its App Store well secured from malware, from a targeted attack perspective, iOS is far from invulnerable and iPhone wielding business execs appear to be attracting mobile-focused hackers.

Spyphones hitting iOS hard?

One firm has seen iOS being targeted heavily by hackers using spyphones – surreptitious software designed to watch over personal and business data, letting the attackers view all the victim’s emails, text messages and geo-location information, according to Lacoon Security, an Israeli mobile security company.

Spyphones are not typical mobile malware, nor are they rogue applications, which have become a growing problem for Android. Earlier this month, F-Secure found a startling 51,447 unique malware samples aimed at Google’s OS in the third quarter, up from 5,033 in Q2.

In contrast to rogue apps, where the user has a “visual indication of the installed application”, spyphones are tied to the OS, meaning they can hide from the victim, Lacoon explained. That makes them far more effective at carrying out surveillance or nefarious data slurping operations.

Lacoon provides mobile security by looking at activity across a network as well as on the device itself, rather than using the old anti-virus method of tracking signatures. That’s why it was able to gather information on actual installations of spy software, as it looked at cellular traffic to three known and active C&C servers, all based in the US.

The vendor focused on three kinds of spyphone, all of which are openly marketed on the Internet as useful for spying on families and employees: SpyEra, SpyBubble and StealthGenie. They all appear to be legitimate services, but require someone to hack into the target’s phone first, circumventing Apple’s protections.

In their disclaimers, the spyphone creators warn users that they need to get permission from the legal owners of the devices on which they wish to plant the software. Regardless of their legality, Lacoon believes they are being used widely by “malicious operators”.

TechWeekEurope reached out to the companies, asking about use of their software. SpyEra said it had never heard of its products being used by cyber criminals, nor would it ever promote it in that way or support illegal use of its software. It said its customers included families wanting to watch over their children and companies wanting to keep tabs on employees.  “Our software is not a virus, or trojan. It has to be [installed] by human action,” the company noted. It did not provide any figures on customers when asked, however.

At the time of publication, the other spyphone creators had not responded to a request for comment.

Lacoon found that this type of software was far more prevalent on iOS than on any other mobile operating system. A sampling in March this year showed an overwhelming 74 percent of the 48 infected devices it found ran iOS.

The second sampling from October showed 52 percent of the 175 compromised devices were running iOS. That was compared to 35 percent for Android.

These samplings gave a “small, yet significant, taste of what’s out there”, according to Lacoon. Spyphone rates globally will be far higher.

The results are even more surprising given hackers have to jailbreak the iOS machine before the surveillance software can be uploaded. Jailbreaking an iPhone requires an action on the device, such as opening a PDF or visiting a specific website. The most common method, however, is to physically jailbreak the device via the USB connection. Fortunately for the person planting the software, the spyphone kit hides the fact that the phone has been jailbroken, thereby avoiding jailbreak detection offered by various vendors.

All this indicates iPhones are being turned into spyphones in highly targeted campaigns, possibly where attackers are accessing the phones physically. According to Ohad Bobrov, CTO and co-founder of Lacoon Security, a trained individual can jailbreak a device and upload malware to an iPhone in “about the time the device’s owner leaves their phone on the table to grab a cup of coffee”.

Bobrov said businessmen and women were the main targets of the spyphone campaigns. “Content sent to the C&C servers revealed that the attackers were very much interested in business data,” he told TechWeekEurope. “Since iOS devices hold a high reputation amongst corporate individuals – such as CEOs, CFOs, sales directors, and the likes – they are frequently targeted.”

Attackers would only continue to come up with innovative ways to crack iPhones, to make it easier to install malware on Apple devices, Bobrov added.

Busting the myth of flawless iOS security

Other surveillance software has also been seen running on iOS. FinSpy, produced by British firm Gamma International, was spotted earlier this year with iOS compatibility. FinSpy Mobile forms part of the FinFisher lineup of spy products from Gamma, some of which had allegedly found their way into the hands of repressive regimes in Syria and elsewhere to target activists.

In September, security firm CrowdStrike warned that, following a leak of one million Apple Universal Device IDs (UDIDs), there were over one million targets which could have been targeted using the FinSpy “Ad-Hoc distribution mechanism”, which requires attackers to know UDIDs, “coupled with an existing or new exploit/jailbreak”.

Many attackers have sought to exploit the numerous vulnerabilities found in iOS, which, historically, have been plentiful. When iOS 6 was released, it addressed 197 vulnerabilities resident in the previous version of the OS.

“The recent spate of iOS fixes (and improvements in security measures) is partly attributable to the increased interest in exploiting the platform, but is also a result of Apple’s increased vigilance when it comes to security on the iOS / OSX platforms,” director and founder of Azimuth Security, Mark Dowd, told TechWeekEurope.

“The cases of iOS hacks that I’ve seen are all from jailbreaks (and public presentations), but I’m sure there is sufficient interest from criminal enterprises that they’d make attempts to find flaws in the platform.”

Dowd said there had been vulnerabilities in almost all layers of Apple’s mobile devices – kernel weaknesses, boot loader weaknesses, remotely exposed vectors, such as the browser and SMS stack, and local applications present on the default system. “These are all pretty serious.”

The general message coming from the community is that users should not carry their iPhones around with such a false sense of security. And maybe think twice before jailbreaking their phones too.

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • The operative piece in this quite slanted article is “The cases of iOS hacks that I’ve seen are all from jailbreaks (and public presentations), but I’m sure there is sufficient interest from criminal enterprises that they’d make attempts to find flaws in the platform.”

    It was never Apple's intention to permit jailbreaking as a option on iOS. Other than the usual anti-Apple innuendo, the author offers no hard evidence of this happening to a non-jailbroken iPhone.

    • Dave - true, but the real risk is if the bad guys can get their hands on the phone (probably fairly easily!) for a short while, they jailbreak and install the spywear.

      Making it worse is that one suppliers spywear hides the jailbreak. In a way this makes security on iPhone worse than Android as people presume its secure - Android you don't!

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago