In a research on Operation Pawn Storm, Trendmicro found one interesting poisoned pawn-spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack.

Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware.

The iOS malware Trendmicro found is among those advanced malware. The security intelligence firm believes the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware that had been found for Microsoft Windows’ systems.

Trendmicro found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, the firm concluded that both are applications related to SEDNIT.

The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is live.

After being installed on iOS 7, the XAgent app’s icon is hidden and it runs in the background immediately. And it will restart almost immediately after trying to terminate it by killing the process.

Installing the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot restart automatically. This suggests that the malware was designed prior to the release of iOS 8 last September 2014.

The app is designed to collect all kind of information on an iOS device. It is able to perform the following routines:

• Collect text messages
• Get contact lists
• Get pictures
• Collect geo-location data
• Start voice recording
• Get a list of installed apps
• Get a list of processes
• Get the Wi-Fi status

Besides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST request to send messages, and GET request to receive commands.

Trendmicro has not identified the exact methods of installing the malware. However, the iOS device doesn’t have to be jailbroken per se. Researchers have seen one instance wherein a lure involving XAgent simply says "Tap Here to Install the Application." The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking on a link.

There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.