MDM Hack Targeted 13 iPhones With Malicious Apps

A highly-targeted attack via MDM (mobile device management) software installed malicious apps onto 13 iPhones. Cisco’s Talos Intelligence Group discovered the MDM hack.

[Apple is Making iPhone Hacking A Lot More Difficult for Law Enforcement with iOS 11.4]

MDM Hack

The attack appears to be in India, and involved the attackers getting 13 iPhones registered with rogue MDM servers. It then pushed out malicious apps that let the attackers track the location of the phones and read SMS messages.

Flowchart of the MDM hack.
MDM hack flowchart. Image credit: Talos

It used a “BOptions” sideloading technique to modify versions of apps like WhatsApp and Telegram. Talos researchers Warren Mercer, Paul Rascagneres, and Andrew Williams wrote a blog post:

The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS, and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.

Two servers identified were:

  • hxxp://ios-certificate-update[.]com
  • hxxp://www[.]wpitcher[.]com

MDM software lets an administrator manage multiple iDevices to install/remove apps, install/revoke certificates, lock devices, change password requirements, etc. The servers were registered with mail.ru addresses.

[MDM Archives – The Mac Observer]

2 thoughts on “MDM Hack Targeted 13 iPhones With Malicious Apps

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.