Mysterious malware campaign targets just 13 iPhones in India

An application-warping malware campaign in India is aimed at just 13 iPhones in what Cisco's researchers are calling a “highly targeted” operation.
Cisco researchers exposed a malware campaign in India (photo courtesy of Cisco Talos).

An application-warping malware campaign in India is aimed at just 13 iPhones in what researchers are calling a “highly targeted” operation.

The attackers are using an open-source mobile device management (MDM) server to distribute the malware through popular apps like Telegram and WhatsApp, researchers from Talos, Cisco’s threat intelligence unit, revealed Thursday. The use of MDM, a popular enterprise tool for administering mobile apps, allows hackers to control how their malware is interacting with the target phones.

“This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception,” researchers Warren Mercer, Paul Rascagneres, and Andrew Williams wrote in a blog post.

The researchers don’t know who was targeted in the campaign, who carried out the attack, or why. While the hackers apparently tried to plant a “false flag” by posing as Russian, evidence suggests they were operating in India, according to Talos.


The malicious code injected into the apps can collect and exfiltrate phone and serial numbers, location, contacts, and Telegram and WhatsApp messages. The iPhone users are likely lured into enrolling in the MDM service through a social engineering campaign, according to the researchers. Each step of the enrollment process requires interacting with the user, such as installing a certificate authority on the iPhone.

Apple has revoked 5 certificates linked with the campaign, according to the researchers.

“The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices,” they wrote.

The growing use of MDM at large organizations means users need to understand that installing additional certificates on devices can expose them to malicious activity, the researchers advised. “By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this,” they added.

It’s an open question as to why the malware, which the researchers say has been in use since August 2015, has gone after just 13 iPhones. Asked about this, a Talos spokesperson said that, for now, the researchers won’t be offering additional information beyond the blog post.


“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices,” the blog post states.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts