At Lacoon Security we sleep, breathe and live mobile security. But one question we keep receiving is whether iPhones are in fact hack-proof.

After all, when you hear about malicious apps – such as those that send text messages to premium numbers- most likely you hear about them in context of Android’s Marketplace. Apple’s tight app approval procedure, in this case, seems to be some sort of safety net.

We looked at it differently. What about more focused attacks, those that are infected by surveillance software unknowingly planted on the victim’s device – namely, spyphones?

Our findings were startling. Not only are iOS mobile devices targeted, but from all the different mobile operating systems – they are most targeted.

A Short Primer to Spypyones

The main purpose of the spyphones, devices infected with mobile-specific malware, is to stealthy gather information such as text messages (SMS), geo-location information, emails, and even calendar events. In contrast to rogue applications where the user has a visual indication of the installed application, spyphones are tied up to the OS. As such, spyphones surpass any detection by their owners.

Environment

We monitored the cellular traffic to three known and active C&C servers. We performed this activity during two separate monitoring phases. The first sampling was conducted during March 2012. The second sampling was performed in late October 2012. All the three C&Cs were located in the US.

While some C&Cs communicate only with specific OS devices, the servers we monitored are capable of communicating with most of the popular mobile operating systems: iOS, Android and Nokia Symbian. Such monitoring allowed us to gain real-time insights on the infection rates of the different devices. In addition, we were able to inspect the content of these communications and see what data the attackers gathered from users’ mobile devices.

All in all, we witnessed traffic originating from more than 200 different infected mobile devices.

Our Findings

1. iOS Infection Rates:

Contrary to common belief, iOS are not hack-proof. In fact, most of the communications sent to the monitored C&C servers were attributed to iOS devices – iPhones and iPods.

In our first sampling – where we witnessed 48 compromised devices- an overwhelming 74% of infected devices were iOS-enabled.

The second sampling showed that 52% of 175 compromised devices were attributed to iOS devices.

The following figure shows the OS distribution amongst the different compromised mobile devices we witnessed during our second sampling:

SpyPhone infection across mobile platforms: iOS, Android and Symbian

SpyPhone infection across mobile platforms: iOS, Android and Symbian

2. iOS SpyPhone Varieties:

Our specific traffic monitoring activities focused on three C&Cs: SpyEra, StealthGenie and SpyBubble. These C&C servers communicated with the infected mobile devices to gather users’ personal and business data such as emails, text messages and geo-location data.

It is interesting to note that although these spyphones were running surreptitiously gathering and sending out the private information, these spyphones do not define themselves as malware. More so, any downloads and installations are greeted with disclaimers regarding the usage of the software.

The following screenshots are demos taken from the actual sites which market the spyphone tools:

SpyEra iOS SpyPhone Screen

StealthGenie Control Panel Demo

Why is iOS a Popular Target?

Our findings clearly show a higher infection rate of iOS devices as opposed to other mobile operating systems. This is seemingly surprising given that according to IDC’s August 2012 report, Android tops the market of smartphones. However, a couple of reasons contribute to the higher level of compromised iOS devices:

1. iOS started off the smartphone popularity contest – and it still stands up to the fight:

As iOS devices were the first ones to gain smartphone popularity, spyphones targeted at this operating system were quick to develop. And these iOS-targeted spyphones continue to provide the malicious operators with data. With such large amounts of data and increasing numbers of infected iOS devices, attackers do not feel the pressure to forego this iOS and switch gears towards the other OSes.

2. High-profiled individuals prefer iOS devices:

Content sent to the C&C servers revealed that the attackers were very much interested in business data. Since iOS devices hold a high reputation amongst corporate individuals – such as CEOs, CFOs, sales directors, and the likes – they are frequently targeted.

3. Users have a false sense of iOS-security:

As previously mentioned, iOS mobile devices are considered more secure than other common platforms. Consequently, owners of these devices are more relaxed about their mobile security best practices. In turn, attackers are quick to exploit this false sense of security.

What does the future hold in terms of spyphones? We can only assume that the attacks on iOS will increase. As usual in the game of security vs. attackers, we have no doubt that attackers are already testing, checking and exploiting new attack vectors. And given that there the recent iOS6 platform update contained 197 security updates – both sides are working hard at this game