On March 29, 2019, Security Without Borders described the discovery of Android spyware it termed Exodus. The story linked the spyware to a company called eSurv with links to Italian government agencies.
Now mobile security firm Lookout has discovered and described iOS versions of the malware. They “were available outside the app store, through phishing sites, and abused the Apple Developer Enterprise program.” It had apparently discovered and analyzed Exodus independently of Security Without Borders. In a new report published April 8, 2019, it adds a few details to the Security Without Borders report, but specifically describes an iOS version of the spyware.
Lookout’s analysis of the Android version led to the discovery of an infrastructure containing several samples of an iOS port. This iOS version was deployed to users outside of the Apple store by abusing Apple’s enterprise provisioning system — which is designed to allow organizations to distribute proprietary, in-house apps to employees without reference to the App Store. Although not a common method of distributing Apple malware, it is not unique.
This method requires a mobile provisioning profile with an enterprise certificate. All the iOS versions used profiles and the certificate of Connexxa SRL, an Italian firm with strong connections to eSurv.
The iOS version is not as sophisticated as the Android version, but is still able to exfiltrate contacts, audio recordings, photos, videos, GPS location and device information. The malicious code was initialized at application launch without the user’s knowledge. Timers were set up to gather and upload data periodically. The stolen data was queued via HTTP PUT requests to an endpoint on the C2 server, using the same infrastructure as that used by the Android version.
Lookout shared its research with Apple, who revoked the affected certificates. As a result, no new instances of this version can be installed on iOS devices, and existing installations will no longer function.
Meanwhile, Claudio Guarnieri (who founded Security Without Borders in December 2016) provided more information on what he describes as ‘a spy scandal in Italy’. In a personal blog post under the name ‘Nex’ on April 4, 2019, Guarnieri explains that the authorities had already started an investigation before Security Without Borders published its expose.
“The prosecutor of Napoli informed the press that an investigation was active on the company and that a few days prior to our publication a judge issued a seizure warrant for eSurv and its assets, as well as another company, STM s.r.l.” This would explain why the eSurv website was inaccessible at the time of SecurityWeek’s first posting on this story. At the time of writing now, both the eSurv and Connexxa websites have disappeared.
Guarnieri explains that Exodus had been supplied to numerous public prosecutor’s offices across Italy — but that it didn’t always function correctly. “The prosecutorís office of Benevento,” he writes, “recently realized, during yet another apparent malfunction, that the Exodus spyware in their use wasnít exfiltrating and storing data on the local server in the premises of the office (as mandated by Italian law), but on Amazon cloud instances instead.”
The local server supplied to store the intercepts appears to have been fake. “As a matter of fact,” comments Guarnieri, “the press reports, the server provided to the public prosecutorís office wasnít even equipped with an Operating System, and contained no data at all. Essentially it was an empty box.”
The Rome Chronicle (in Italian; translation by Google) reports, “They had created a private archive using an Amazon server in Oregon and there they downloaded thousands of photos, videos, private conversations via WhatsApp and other message applications, interview recordings.”
It appears that Exodus is software designed for government agencies to undertake lawful intercepts, but that flaws in the software and possible abuse by its developers meant that it engaged in illegal ‘lawful’ intercepts under Italian law, and then exported personal information from users — potentially innocent users — outside of Europe (in contravention of GDPR).
This appears to be developing into a full-blown Italian scandal. “This software,” comments Guarnieri, “was in use by law enforcement all over Italy.” He adds, “More recent [press] reports are now suggesting that the story might go deeper and darker than originally anticipated. The press is currently suggesting that illegal spying might have been operated on behalf of unknown entities and that this investigation is crossing with separate investigations dealing with corruption in Calabria.”