A sophisticated mobile malware campaign is gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package.To enrol an iOS device into MDM, a user has to manually install the certificate which is obtained through the Apple Developer Enterprise Program.

Hackers used social engineering techniques to install MDM in their device. Once it has installed, the attackers used the MDM service to remotely install modified versions of legitimate apps like WhatsApp, telegram onto the devices. The hackers injected malicious features into these legitimate apps in order to secretly spy on users steal their real-time location, contacts, photos, SMS and private messages from chat applications.

It is true that a software write the software and a hardware runs with the software. Like, MDM is an open source developed tool for the mobile device management, hackers use the same open source platform to decrypt it and rewrite the application, with this it can control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone number, serial number, location, contact details, user's photos, SMS and WhatsApp chat messages. Attackers are using this protocol to install malicious applications and spy on devices remotely.

The fact remains debatable, as we have very much sophisticated developers in in India too, we can’t blame on Russia, the hackers are said to from India, they are posing themselves from Russia. As the technology evolves,you can do an d show anything remotely. A question comes who to be blamed, is it technology or human for the innovation.

Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.


The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.


As part of the attacker's development and testing it appears that they compromised their device - we observed a device named "test" or "mdmdev." The log files we identified contain the phone number of the device. The number originates from India and uses the "Vodafone India" network with roaming capability disabled. With all of this information in mind, we assume with high confidence that the malware author works out of India.

MDM is becoming more popular throughout large enterprises, and users should be aware that installing additional certificates on their device to allow remote management can result in potential malicious activity. By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this.

Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc. This must be done with great care in order to avoid security issues and should not be something the average home user does.

The following information warns the security community and users of how this attack works. The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices.
The overall workflow of the deployment method and capabilities is pictured below.