Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New iOS spyware targets non-jailbroken devices but requires user intervention to install

A phishing page used to spread XAgent malware. Source: Trend Micro

Last updated

A malware campaign known in the security industry as "Operation Pawn Storm" has begun to target Apple's iOS devices with a new malicious application that can steal photos, text messages, contacts, and other data from non-jailbroken iPhones, but which cannot be installed without users' consent.

Dubbed XAgent by security firm Trend Micro, the new spyware has been observed using Apple's ad-hoc provisioning system as an infection vector. This functionality is intended for enterprises and developers who wish to distribute apps to a small group of individuals and allows users to bypass the App Store.

This is a cumbersome process which presents multiple notifications to the user that an app will be installed. As a result, Operation Pawn Storm is thought to target specific individuals by infecting those around them in the hope that installation instructions received from their circle of friends or colleagues will be more readily followed.

"The good thing for users is that this isn't something that can be automatically done," Trend Micro executive Jon Clay told Macworld. "There are steps you have to do as a user to install this."

Once installed on devices running iOS 7, XAgent runs without an app icon and is capable of automatically restarting itself. This is not the case on iOS 8 —  users would be forced to manually open the app if it closed or the device was restarted, which leads Trend Micro to believe the spyware was designed before iOS 8 was released.

XAgent is designed to collect text messages, contact lists, pictures, geolocation data, information on installed apps and running processes, as well as Wi-Fi status. Additionally, it can be configured to begin recording audio using the device's built-in microphone and transfer those recordings to a command and control server.

As usual, users can mitigate their risk by not clicking on suspicious links, even if they appear to come from a trusted source.