Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New iOS spyware targets non-jailbroken devices but requires user intervention to install

A phishing page used to spread XAgent malware. Source: Trend Micro

Last updated

A malware campaign known in the security industry as "Operation Pawn Storm" has begun to target Apple's iOS devices with a new malicious application that can steal photos, text messages, contacts, and other data from non-jailbroken iPhones, but which cannot be installed without users' consent.

Dubbed XAgent by security firm Trend Micro, the new spyware has been observed using Apple's ad-hoc provisioning system as an infection vector. This functionality is intended for enterprises and developers who wish to distribute apps to a small group of individuals and allows users to bypass the App Store.

This is a cumbersome process which presents multiple notifications to the user that an app will be installed. As a result, Operation Pawn Storm is thought to target specific individuals by infecting those around them in the hope that installation instructions received from their circle of friends or colleagues will be more readily followed.

"The good thing for users is that this isn't something that can be automatically done," Trend Micro executive Jon Clay told Macworld. "There are steps you have to do as a user to install this."

Once installed on devices running iOS 7, XAgent runs without an app icon and is capable of automatically restarting itself. This is not the case on iOS 8 —  users would be forced to manually open the app if it closed or the device was restarted, which leads Trend Micro to believe the spyware was designed before iOS 8 was released.

XAgent is designed to collect text messages, contact lists, pictures, geolocation data, information on installed apps and running processes, as well as Wi-Fi status. Additionally, it can be configured to begin recording audio using the device's built-in microphone and transfer those recordings to a command and control server.

As usual, users can mitigate their risk by not clicking on suspicious links, even if they appear to come from a trusted source.



23 Comments

nagromme 22 Years · 2831 comments

They may as well just include "Jailbreak your iPhone" as step one of a malware campaign.

ecats 11 Years · 274 comments

I'm sure if security researchers did some actual work they could probably find exploits more interesting than this. Running to the uninformed press about misusing a built in feature is not an exploit. You might as well provide the instructions: Step 1. Pick up hammer Step 2. Slam hammer down on phone repeatedly OMG, HAMMER is an exploit.

beltsbear 15 Years · 315 comments

What kind of prompt does this bring up?

phone-ui-guy 18 Years · 1018 comments

[quote name="BeltsBear" url="/t/184647/new-ios-spyware-targets-non-jailbroken-devices-but-requires-user-intervention-to-install#post_2671397"]What kind of prompt does this bring up?[/quote] It is a prompt for accepting installation of the apication. I think Apple can revoke the certificate of anyone doing this. Not sure how it could be a real threat given that.

thewhitefalcon 10 Years · 4444 comments

Something that needs to be fixed before this becomes an issue is the automatic redirects that websites have now, where it kicks you to the App Store for some garbage freemium game.