Cybersecurity researchers have discovered that a sinister new surveillance app first designed for Android users can now target iPhones.
The spyware app, which was first found by researchers at mobile security company Lookout, is misusing its Apple enterprise certificate to bypass their security network. Disguised as a carrier assistance app, this malicious software can copy a victim’s contacts, photos, videos, audio recordings, and other device data – including their location.
Although there is no evidence as to which devices may have been targeted, researchers found that the app’s servers were from fake sites claiming to be cell carriers in Italy and Turkmenistan. Experts have linked the software to Connexxa, the developers of the previously discovered Android app called Exodus, which tricked hundreds of victims into installing the spyware. Connexxa, which specializes in surveillance, are also known to have worked with the Italian authorities.
Both the Android and Apple versions of the spyware use the same backend infrastructure to gain access to user’s devices. Although the Android version was available from Google Play, the iOS version is not widely distributed. Instead, Connexxa released the app with an enterprise certificate issued by Apple, which allowed the developer to bypass Apple’s strict privacy rules.
However, this loophole is still a violation of Apple’s rules, which specifies that these enterprise certificates are only for internal use and should not be pushed to consumers. After the news broke, Apple revoked the developer’s enterprise certificate, which knocked every app offline. However, researchers are not sure how many iPhone owners were affected.
This news follows a similar pattern to other privacy scandals that unfolded earlier this year, some of which were perpetrated by America’s tech giants. For example, both Facebook and Google abused their enterprise-only developer certificates to sign invasive apps for consumer download. This led to Apple banning apps developed by Facebook and Google, which took all their illicit apps offline. However, this decision also shut down all other internal apps signed with the same certificate. This caused a day of chaos, where Facebook was unable to operate at full capacity for an entire working day whilst Apple issued a new developer certificate.
However, as these reports show, it isn’t only Facebook and Google who are abusing enterprise developer certificates. For example, in an investigation conducted Tech Crunch, they found that numerous illicit porn and gambling apps were signed with enterprise certificates in order to work around Apple’s rules.