Operation Triangulation Targets iOS Devices with Novel Malware

While monitoring the network traffic of their dedicated corporate Wi-Fi network for mobile devices, researchers at Securelist detected suspicious activity originating from multiple iOS-based phones. Due to the inherent limitations of inspecting modern iOS devices internally, researchers opted to create offline backups of the devices in question and analyzed them using the Mobile Verification Toolkit's mvt-ios tool. Through this analysis, they uncovered evidence of compromise, leading to the identification of a campaign referred to as "Operation Triangulation."

By examining the mobile device backups, which encompass a partial replica of the filesystem, including user data and service databases, the researchers were able to utilize file and folder timestamps, as well as database records, to reconstruct a rough timeline of events on the compromised devices. The mvt-ios utility facilitated the creation of a sorted timeline file called "timeline.csv," akin to the super-timelines utilized in traditional digital forensic tools.

By leveraging this timeline, researchers successfully pinpointed specific artifacts that indicated the compromise. This discovery propelled their research forward, allowing them to outline the general sequence of infection as follows:

• The targeted iOS device receives an iMessage containing an exploit-laden attachment.
• The message triggers a vulnerability within the device, leading to code execution without any user interaction.
• The exploit proceeds to download several subsequent stages from the command and control (C&C) server, including privilege escalation exploits.
• Following successful exploitation, a fully-featured advanced persistent threat (APT) platform, serving as the final payload, is downloaded from the C&C server.
• The initial message and exploit attachment are deleted to cover tracks.

Due to operating system limitations, the malicious toolset lacks persistence. Consequently, timelines of multiple devices suggest the possibility of reinfection after rebooting. The earliest identified traces of infection date back to 2019. As of June 2023, the attack remains ongoing, targeting devices running iOS 15.7, the latest version at the time of writing.
The analysis of the final payload is still ongoing. Running with root privileges, the code implements a range of commands to collect system and user information and can execute arbitrary code obtained as plugin modules from the C&C server.

It is crucial to note that despite the malware incorporating specific code segments dedicated to erasing traces of compromise, it is still possible to reliably determine if a device has been compromised. Additionally, if a new device is set up by migrating user data from an older device, the iTunes backup of both devices will contain traces of compromise with accurate timestamps.

Why iOS Phone Malware is Difficult to Dissect?

iOS phone malware is generally considered more difficult to dissect compared to malware targeting other operating systems, such as Android. There are several reasons for this:

Closed Ecosystem: iOS is a closed ecosystem, meaning Apple tightly controls the hardware, software, and app distribution on their devices. This closed nature makes it more challenging for malware to gain a foothold and spread within the system.

App Store Review Process: The App Store has a strict review process where each app is screened before it is made available for download. This process helps in preventing malicious apps from being distributed widely. While this does not completely eliminate the possibility of malware slipping through, it does provide an additional layer of protection.

Sandboxing: iOS apps are sandboxed, which means they operate in their own restricted environment and have limited access to the underlying system resources and data. This isolation prevents malware from easily spreading across different parts of the system.

Code Signing and Encryption: iOS apps are required to be signed by a developer certificate issued by Apple. This code signing ensures that only authorized developers can create and distribute apps. Additionally, iOS utilizes strong encryption measures, making it difficult to analyze and tamper with the app's code.

Limited User Privileges: iOS restricts user privileges, preventing apps from accessing sensitive areas of the device without explicit user permission. This limitation reduces the potential impact of malware.

While iOS offers several security features, it is important to note that no system is completely immune to malware. There have been instances of iOS malware, but due to the factors mentioned above, it tends to be less prevalent compared to other platforms. However, as technology advances, malware creators continuously adapt and find new ways to exploit vulnerabilities, necessitating ongoing security measures and vigilance.