Cybercriminals often cast a wide net in their attacks, hoping to capture the largest number of people and, consequently, the greatest paycheck. But this is not always the case: In a recent campaign, hackers used a mobile device management (MDM) system to run a highly targeted attack against just 13 iPhones located in India, according to researchers from Cisco Talos.
The attack, detailed in a Thursday Cisco Talos blog post, took advantage of the open source MDM system to control the devices, the researchers found. It remains unknown how the attacker was able to enroll the targeted devices, with the two options being through physical access to the devices, or, more likely, using social engineering to trick the victim into giving the attacker access.
The attacker then infected the devices with malware that replaces specific mobile apps for data interception, according to the post. They used the BOptions sideloading technique to add features to legitimate, apps including WhatsApp and Telegram, that were deployed to the targeted phones. By injecting malicious code into these apps, the hacker could collect information from the device, such as the phone number, serial number, location, contacts, photos, SMS messages, and chat messages.
SEE: Mobile device computing policy (Tech Pro Research)
Five specific applications had been distributed through the MDM to 13 targeted devices in India, the researchers found. Two of the apps appeared to test device functionality, one steals SMS message content, and the final two report the device’s location, and can gather more data.
The malware has been in use since August 2015, the researchers found. It appears to have originated in India as well, though the identity of the targets and the perpetrator remains unclear.
Apple had already actioned three certificates associated with the campaign when Talos alerted the company to the issue, and actioned two others once the researchers identified them as part of the same threat, the post said.
As MDM becomes more popular in large enterprises, IT leaders and users should be aware that installing certificates on devices to allow remote management can sometimes result in malicious activity, the post noted. If you install a certificate outside of a trusted operating system certificate chain, you may be more likely to get hit by a third-party attack like this. The case is also a reminder to educate employees on how to recognize spear phishing attacks, and to be wary of clicking on suspicious links.
“Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc.,” the post said. “This must be done with great care in order to avoid security issues and should not be something the average home user does.”
The big takeaways for tech leaders:
- Hackers used an MDM system to run a highly targeted attack against 13 iPhones located in India, according to Cisco Talos research.
- Enterprise MDM users should not install remote management certificates outside of trusted operating system options, and should be wary of spear phishing attacks.