Take care, spyware is slipping into your phones through Operation Poisoned News

Wednesday 30 September 17:00 - 17:30, Green room

Nelson William Gamazo Sanchez (Trend Micro)
Lilang Wu (Trend Micro)
Elliot Cao (Trend Micro)
Ecular Xu (Trend Micro)



Around January 2020, we discovered a watering hole attack against iOS users in Hong Kong that our team named "Operation Poisoned News". The name came from the tactics employed for targeting users, consisting of designing web pages with multiple iframes to load an iOS exploit and disguising them as local news pages. Links to the crafted web pages were posted on multiple popular forums in Hong Kong and people accessing those links were infected if they had an unpatched iPhone device.

The iOS exploit was designed to exploit iOS versions between 12.1 and 12.2 on several iPhone models up to iPhone X. Once users have been compromised a full spying malware is installed on their phones.

The iOS malware, which we dubbed lightSpy, is a modular backdoor which allows the attacker to remotely execute shell command and manipulate files on the infected device. It’s also implemented with several functionalities for exfiltrating data from the infected device including:

  • Hardware information
  • Contacts
  • Keychain
  • SMS messages
  • Phone call history
  • GPS location 
  • Connected Wi-Fi history
  • Browser history of Safari and Chrome

As well as reporting the surrounding environment of device by:

  • Scanning local network IP address
  • Scanning available Wi-Fi networks

There are also modules specifically designed to exfiltrate data from popular messenger applications including QQ, WeChat and Telegram.

The lightSpy malware has a modular design with multiple capabilities including: 

  • Modules update
  • Remote command dispatch per module
  • Complete shell command module.

While we were analysing the payload delivered using the iOS exploit, we noticed a decoded configuration file pointing to a URL with the Android name on it. This hints that an Android version of lightSpy related to this campaign probably existed. After further hunting we found that the attackers also targeted Android devices during 2019. We found the campaign posted URL links to a malicious APK file on public Hong Kongese Telegram channels. The message was disguised as promoting a legitimate application to trick people installing the malware on their Android devices. The malware can also exfiltrate device information, contacts and SMS messages. We dubbed the Android malware dmsSpy.

In this presentation we will discuss details of the Operation Poisoned News campaign, and present an analysis of the malware spying on both Android and iOS iPhone devices (lightSpy, dmsSpy).

 

William-Gamazo-Sanchez-web.jpg

Nelson William Gamazo Sanchez

Nelson William Gamazo Sanchez is a security researcher at ZDI Threat Hunting Team. He joined Trend Micro in 2014, since when he has worked in multiple areas as reversing engineer, vulnerability analyst and vulnerability researcher. He has worked in the security field since 2000, working in multiple security-oriented companies, including anti-malware and computer forensics companies. He has spoken at several security conferences.

@willgamz

 

Lilang-Wu-web.jpg

Lilang Wu

Lilang Wu is Security Research Leader at Trend Micro Advance Research Team. He mainly focuses on iOS, MacOS and Android kernel vulnerability discovery and malware hunting, and has disclosed many vulnerabilities. He disclosed the masque attack on iOS named 'IOS_Landmine.A'. He has spoken at serval security conferences including BlackHat USA 2019/2018, BlackHat Europe 2018, CodeBlue, HITB and Virus Bulletin.

 

Elliot-Cao-web.jpg

Elliot Cao

Elliot Cao joined Trend Micro in 2017. A sandbox engine developer and vulnerability/threat/red team researcher, Elliot focuses on browser and Windows kernel vulnerability research. He is a member of SAL team and responsibilities include, hunting 0-days in browsers, reversing and vulnerability research on browsers to deliver RCA for product enhancement.

@elli0tn0phacker

 

Ecular-Xu-web.jpg

Ecular Xu

Ecular Xu is a security researcher at Trend Micro. He has experience in discovering mobile threats, reverse engineering and vulnerability research. He has been involved in revealing many threat campaigns including AnubisSpy, GnatSpy, FakeSpy, Bouncing Golf, and the SideWinder Mobile attack. He has also exposed several vulnerabilities on Android and Linux.



Back to VB2020 Programme page

Other VB2020 papers

TBA

Operation LagTime IT: colourful Panda footprint

Fumio Ozawa (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

SilentFade: unveiling Chinese malware abusing Facebook ad platform

Sanchit Karve (Facebook)
Jennifer Urgilez (Facebook)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.