Well-funded surveillance operation infected both iOS and Android devices

Enlarge (credit: Maurizio Pesce Follow)

Researchers recently discovered a well-funded mobile phone surveillance operation that was capable of surreptitiously stealing a variety of data from phones running both the iOS and Android operating systems. Researchers believe the malware is so-called “lawful intercept” software sold to law-enforcement and governments.

Exodus, as the malware for Android phones has been dubbed, was under development for at least five years. It was spread in apps disguised as service applications from Italian mobile operators. Exodus was hidden inside apps available on phishing websites and nearly 25 apps available in Google Play. In a report published two weeks ago, researchers at Security without Borders said Exodus infected phones estimated to be in the “several hundreds if not a thousand or more.”

Exodus consisted of three distinct stages. The first was a small dropper that collected basic identifying information about the device, such as the IMEI and phone number, and sent it to a command-and-control server. A second stage was installed almost immediately after the researchers’ test phone was infected with the first stage and also reported to a control server. That led researchers to believe all phones infected with stage one are indiscriminately infected with later stages.