Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cyber Espionage Group Adds iOS Spyware to Its Arsenal: Trend Micro

The threat actors behind the political and economic cyber espionage campaign known as Operation Pawn Storm have started using iOS malware to steal sensitive information from their targets, Trend Micro reported on Wednesday.

The threat actors behind the political and economic cyber espionage campaign known as Operation Pawn Storm have started using iOS malware to steal sensitive information from their targets, Trend Micro reported on Wednesday.

The group behind Operation Pawn Storm (also known as APT28, Tsar Team, Sednit and Fancy Bear) has been around since at least 2007. The threat actor, which is believed to be linked to the Russian government, has targeted military, defense industry, government and media organizations from across the world.

Once they infiltrate their targets’ networks, the attackers use sophisticated espionage malware to steal valuable data. These advanced espionage tools now include at least a couple of malicious iOS applications related to the Sednit malware.

One of the iOS spy apps is called XAgent (IOS_XAGENT.A). Once it’s installed on an iOS device, the malware starts harvesting text messages, contact lists, pictures, details on installed apps and processes, Wi-Fi statuses, and geo-location data. The threat is also capable of recording audio, Trend Micro said.

XAgent communicates with its command and control (C&C) server via HTTP. However, experts have determined that the app is also capable of uploading files to a server by using the file transfer protocol (FTP).

The spyware runs in the background and hides its icon to avoid raising suspicion. When its process is terminated, the malware restarts almost immediately. However, according to researchers, these features only work on iOS 7. On iOS 8, the icon is not hidden and the malware doesn’t restart automatically after its process is terminated.

The second iOS spyware identified by Trend Micro is called MadCap (IOS_ XAGENT.B). MadCap is similar to XAgent, but the malware only works on jailbroken devices and it’s designed mainly for audio recording.

While they haven’t been able to precisely determine how these pieces of malware are distributed, researchers believe one method could involve infecting iOS devices once they are connected to a compromised Windows computer through a USB cable. Another method relies on ad hoc provisioning, a process used by iOS developers to distribute their applications.

Trend Micro spotted an instance in which XAgent was installed through this method. Victims were presented with a link that said “Tap Here to Install the Application.” The link pointed to a .plist file that installed the spyware wirelessly.

The C&C server used by the iOS threats was still live as of February 4.

In November, ESET reported that the Pawn Storm cyber espionage group had been using a clever piece of malware, Win32/USBStealer, to steal valuable information from air-gapped networks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.