Hackers Target iOS-Using Government Officials and Journalists in Pawn Storm Malware Attack
Posted on by Graham Cluley
Last October, security researchers released detailed reports about how a criminal hacking gang, possibly backed by a foreign state, was targeting Western governments, military and the media in an operation called “Pawn Storm.”
The hackers’ aim, it was claimed, was to steal information and compromise the Windows computers of targets. And, when you consider that there has been strong speculation that the attack might be being sponsored by the Russian authorities, the list of targets begins to make sense.
Through boobytrapped website attacks—which would silently exploit vulnerabilities and install malware—the hackers ingeniously only hacked likely targets by testing details of the visiting computer (operating system version, language settings, time zone, etc) before attempting infection.
These infections, you will note, were against Windows computers. So, why are we talking about it on the Intego Mac Security blog?
Well, further research has revealed that the Pawn Storm spyware campaign is now also targeting iPhones and iPads.
According to researchers, once a high profile target’s Windows computer has been successfully infected, the attackers “move their next pawn forward” and attempt to install iOS malware.
The important thing to note at this point is that targeted iPhones and iPads do not have to be jailbroken, to be at risk of having the malware installed onto them.
Instead, social engineering is used to trick the user into installing a malicious app onto their iOS device using the ad-hoc provisioning feature that Apple provides for developers who wish to get beta software to testers:
We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking on a link, such as in the picture below. The link will lead to https://www.{BLOCKED}/adhoc/XAgent.plist, a service that installs applications wirelessly.
It is also possible that malware could be installed onto iOS devices after they have been connected to a compromised Windows computer via a USB cable.
Like Sednit, the malware found on Windows computers, the attacks against iOS devices appear to be designed to steal personal information—accessing files, listening to conversations, taking screenshots, reading text messages, collecting information on what WiFi networks are connected to, etc, and exfiltrating data back to a command & control server.
Security researchers report that after being installed on iOS 7, the XAgent malware, completely hides itself and runs in the background. If its process is killed, it restarts almost immediately.
On iOS 8, however, its icon is not correctly hidden and it fails to restart properly. One has to wonder if this is because the malware seen so far was created before the release of iOS 8 in September 2014, and whether newer, more compatible versions are now being used in attacks.
As always, if you feel that your organization may be at risk, be sure to remind your users to be on their guard against unusual communications, and to be extremely wary of any messages encouraging them to install apps onto their devices.
Ensure that you are running up-to-date software on your gateways, and on your desktops and laptops, to reduce the chances of a hack being successful.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: