Sophisticated spyware targets iPhones and Android — check your phone now

April 9, 2019

By Kim Komando

Apple has long been praised for its dedication to protecting your data, security and privacy on your iPhone. Because of that, everyone seems to be in agreement that iOS is generally much safer than Android.

Why? Well, for one, it’s relatively easier on Android to install apps from third-party sources, either directly from the web, unauthorized app stores or via locally saved installers (known as “APK” files). In iOS, third-party app sources were usually exclusively available for jailbroken iPhones only.

However, did you know that there’s a way for developers to install apps on your iPhone without going through Apple’s App Store and its rigorous vetting process? And all this can be done without jailbreaking your gadget!

It’s a growing practice that you really need to watch out for.

This practice obviously leaves you vulnerable to various forms of malicious apps and security exploits. In fact, one such sophisticated spying malware was recently discovered exploiting this loophole.

Read on and see if you’re affected and learn how to protect yourself from this growing security risk on iOS.

Assistenza: The Exodus for iPhones

New findings from cybersecurity firm Lookout revealed that another app was abusing an iOS Enterprise Certificate to bypass Apple’s official App Store in an attempt to infect iPhones with a powerful type of surveillance software.

The app is now known as Assistenza and it is the iOS version of the sophisticated Android spyware app discovered last year called Exodus. Although the Android version was more powerful, allowing complete control of the infected gadget, its iOS counterpart is no slouch either.

It can steal several key pieces of information including:

• the victim’s contact list
• photos
• videos
• audio recordings
• real-time location data

Where did these apps come from?

Both versions were apparently developed by the same Italian spyware maker, Connexxa (an alleged supplier of surveillance software to Italian authorities), and both pretended to be customer support apps from mobile carriers in Italy and Turkmenistan.

The big difference between the two versions is that while the Android app managed to sneak its way into the official Google Play Store, the iOS app was not distributed via Apple’s App Store.

Instead, the app was signed with a developer’s enterprise certificate, allowing it to be sideloaded without passing Apple’s vetting process.

Note: Security firm Security Without Borders wrote that there were nearly 25 Exodus-infected apps detected in Google’s Play Store in the last two years.

What are these certificates and how can they be abused?

iOS Enterprise Certificates are meant to be used by developers to distribute and test their apps internally via the Apple Developer Enterprise Program. By paying a $300 a year fee, developers can directly deploy apps on iPhones where these certificates are installed, thus bypassing the official App Store and Apple’s review processes.

However, some developers abuse these certificates to distribute questionable apps to the public. From movie and game piracy to porn apps, shady developers sometimes use authentic and oftentimes forged and fake certificates to allow users to sideload illegal iOS apps.

You may have seen websites and posts in social media sites advertising apps that offer free pirated games, videos, music, etc for your iPhone or iPad, all without jailbreaking your device. Well, stay away. They all do it by abusing these certificates.

Apple explicitly bans public distribution of these certificates since they are meant for the “internal distribution of apps within an organization.”

(Note: Facebook and Google were also accused of abusing these iOS enterprise certificates, prompting Apple to ban their use.)

How to stay safe from side-loaded apps

Thankfully, after Lookout shared their findings, Apple has deactivated the app developer’s enterprise certificate, rendering all its installed apps offline and unusable. As of this writing, it’s still unknown how many instances of the spyware app were installed.

Unfortunately, the abuse of iOS enterprise certificates to distribute questionable apps is a growing practice. Entire web storefronts are even being put up solely for this purpose.

For your safety, here are some general rules of thumb to consider before blindly installing an app.

Don’t download apps outside of iTunes, Google Play or Amazon

Both Android and iOS stores have a vetting process and while some malicious apps can slip through the cracks, both stores will work quickly to solve any security issues.

Never install apps from untrusted sources, either directly from the web (Android APKs or via iOS enterprise certificates) or from third party app stores or jailbroken iPhone repositories.

Don’t download an app from an unknown developer

Do a little bit of research with a few clicks. Check out the developer’s website, other apps and the like. If the developer doesn’t seem legitimate, it probably isn’t.

Be cautious with links

Be careful with links and websites you visit. Drive-by malware downloads could happen anytime without you knowing it. Don’t grant any system permissions to prompt coming from unknown sources.

Update your gadget

Make sure that you have downloaded the latest security and operating system updates. These updates usually include patches to help protect your device from the most recent threats.

How to check and uninstall certificates on your iPhone

But how can you tell if you have an enterprise certificate installed on your iOS gadget and how do you remove it?

Here’s how: Open your iPhone or iPad’s “Settings,” tap “General” then scroll down to “Profiles.” Note: If you don’t see the “Profile” section, or it’s empty, then you’re good to go, you don’t have any profiles nor third-party certificates installed.

Under Profiles, you’ll see various types of configuration profiles, carrier profiles and enterprise developer certificates. If you see anything that you don’t recognize, tap the profile then select “Remove Profile.”