Malware Companies Are Finding New Ways to Spy on iPhones

Thanks to a combination of tight controls and innovative security features, Apple has made the iPhone perhaps the most secure consumer device in the world. But nothing is unhackable, and iOS malware isn’t as rare as many may think.

Earlier this year, Russian cybersecurity firm Kaspersky Lab found evidence that a small government spyware maker called Negg developed a “custom iOS malware that allows GPS tracking and performs audio surveillance activity,” according to a private report the company sent to subscribers. The discovery of Negg’s iOS malware has never been reported outside of Kaspersky.

“We have uncovered an iOS implant,” Kaspersky Lab researcher Alexey Firsh told Motherboard in an email. “We assume that at the moment of discovery it was in a development stage and was not fully adapted to infect potential victims.”

“We have uncovered an iOS implant.”

Malware on iOS has always been rare, thanks to the increasing difficulty of jailbreaking iPhones and Apple’s continuous focus on locking down its devices. This has driven prices for iOS bugs and exploits through the roof. Nowadays, companies are willing to pay around $3 million for software that jailbreaks and hacks iPhones—and researchers are reluctant to report bugs to Apple simply because others pay better.

Governments around the world have been willing to spend a fortune on iOS malware. Saudi Arabia paid $55 million to purchase iPhone malware made by NSO Group, according to a recent report by Israeli newspaper Haaretz. There’s several companies specializing in iOS malware, such as Azimuth, NSO Group, and some more. But despite the appearances, iOS malware isn’t only in the hands of big companies and their government customers.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

Security researcher Zuk Avraham recently wrote on Twitter that iOS jailbreaks, the basis of any kind of malware for iOS, aren’t as rare as people think, and estimated that there are more than 50 groups who have iOS exploits. While most people believe that only powerful government adversaries have access to iPhone exploits, more discoveries are being made that suggest that lesser-known groups have exploits as well.

Now, even relatively smaller companies have iOS malware.

Earlier this year, Kaspersky Lab reported having found a sophisticated spyware for Android dubbed Skygofree. Sources told Forbes at the time that the spyware was made by Italian government surveillance contractor Negg, a small upstart that isn’t as well known as NSO or Azimuth. While investigating Negg’s Android malware, Kaspersky Lab found that one of its command and control servers pointed to a “rogue Apple [Mobile Device Management] server,” according to the company’s private report.

A source who received the report shared details contained in it with Motherboard on condition of staying anonymous since they were not authorized to share the information.

Mobile Device Management or MDM is a feature in iOS that allows companies to manage and monitor devices given to their employees. By installing an MDM profile or certificate on an iPhone, a user gives the MDM owner some control over the device. This mechanism can be used by malware creators. In July, security firm Talos found that a hacking group used MDM to target a few iPhones in India (Mobile Device Management can be turned on for every iPhone.)

Costin Raiu, the head of Kaspersky Lab’s research team, said that Negg’s MDM server is still active. In its private report, Kaspersky Lab researchers wrote that “the code contains many mentions that let us presume that the developer is a small Italian company named Negg.”

Negg did not respond to a message sent to its official information email address. When Motherboard called its office, an employee said she’d refer questions to the company owner, who was not available at the time. Apple did not respond to a request for comment.

It’s unclear how government hackers get the malware on target’s iPhones. Kaspersky Lab researchers speculated it may be via social engineering “using fake mobile operators sites.” In other words, this malware does not leverage any bugs or exploits in iOS, but instead takes advantage of MDM, which is a specific design feature in the operating system. In this way, it relies on a tried-and-tested social hacking technique—tricking users into installing something. For many years, the average user could essentially click on any link, download any app, and otherwise use their iPhone without worrying about targeted surveillance. That may soon no longer be the case.

“You’re basically turning over administrative control of your phone to the attacker.”

In May, Motherboard revealed that Italian cell phone providers were helping cops install malware on suspected criminals’ phones.

According to former Cyber Command hacker and now director of cyber solutions at Point3 Ryan Duff, this discovery should not be seen as too much of a worrisome sign.

“As far as MDM as an injection method for malware, it’s pretty lame,” Duff told Motherboard in an online chat. “As far as risk goes, it’s pretty low. You can’t just force an iPhone to connect to an MDM server. You would have to get them to install a device profile onto their phone. You’d need to social engineer them in some way to installing the profile.”

Raiu said that Kaspersky is not sure how Negg—or its customers—get the malware on the target iPhones. It could either be social engineering, Raiu said, or “even physical access.” Kaspersky is unsure if Negg has any zero days or specific iOS exploits.

Even if MDM-based malware is not as sophisticated as malware that gets injected with expensive and unknown vulnerabilities—or zero-days—once it’s on the phone the result is the same: the hackers—be them criminals or government-sponsored—have access to everything on the phone.

“You’re basically turning over administrative control of your phone to the attacker,” Duff told me. “So of course they can install malware from there.”

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.