Massive, sophisticated "Inception - Cloud Atlas" malware infects Windows and Android but can't explo

Posted:
in iPhone edited December 2014
A vast and sophisticated new espionage campaign targeting "military, diplomats, and business execs," discovered by Blue Coat Labs and confirmed by Kaspersky Labs, exploits flaws in Microsoft Windows and seeks to infect Android, Blackberry and iOS devices, but is limited to only infecting iPhones and iPads that are jailbroken.

Android Malware


The newly discovered malware network was covered in detail in a report by Dan Goodin of ArsTechnica, prominently naming "diplomats iPhone's" in the headline, along with "Androids and PCs," as being targeted by the attack.No mention of the fact was made that the malware itself can't be installed on iOS unless the device has been jailbroken first

The malware, targeting diplomats in an "international espionage campaign that's so sophisticated and comprehensive that it could only have been developed with the backing of a well resourced country," was described by the article as targeting "devices running Windows, Android, BlackBerry and iOS," but no mention of the fact was made that the malware itself can't be installed on iOS unless the device has been jailbroken first.

Blue Coat, which coined the name "Inception," based on the stealthy attack's "extremely advanced" layers of obfuscation to hide the identity of the attackers, also addressed iOS as being a target in the campaign in its blog posting without making any mention of the fact that iOS devices need to have their security turned off via jailbreak in order to fall victim to the attack.

Ars iOS malware no mention of jailbreak


The site did advise that to prevent infection, users should "keep software updated, don't jailbreak mobile phones, and don't install apps from unofficial sources," essentially a brutal condemnation of Google's platform goals for Android and a glowing endorsement of the security policies Apple has pursued on behalf of its iOS users.

To infect iOS, sophisticated hackers still require a jailbreak

Only in its separate white paper on the subject (PDF) did Blue Coat note that the Inception malware, which posed as a WhatsApp app update, was packaged as a Debian installer package that "impersonates a Cydia installer, and can only be installed on a jailbroken phone."

The paper also noted that the attack has evolved (from its first appearance in 2013, when it was named "Red October" by Kaspersky Labs), now posing as the increasingly popular WhatsApp rather than Microsoft's Skype.

Inception iOS jailbreak


Once installed by a user, the jailbreak-malware can collect an iOS device's serial and phone number; spy on battery levels, memory use and other status information and settings as well as snoop on address book entries and the names of apps iTunes has installed.

Most iOS malware requires a jailbreak

A series of prior malware tools were similarly revealed to require a jailbreak, making them little real threat to the vast majority of Apple's users, particularly those updated to use the latest iOS. Apple actively works to close security exploits that enable jailbreaking, which turns off system security to allow users to "sideload" the installation of software, bypassing the iTunes App Store.

Side loaded apps are typically pirated, but may also include software Apple does not approve for sale in the App Store. The practice of jailbreaking iOS has become increasingly less interesting to users, particularly in China where the once-high percentage of jailbroken iOS phones has plummeted as legitimate app options have become available to customers in that country.

Umeng China jailbreak


In August, it was revealed that governments and law enforcement groups were using FinFisher spyware by Gamma Group to surveil Android and iOS users, but that malware also required a jailbreak on iOS in order to be installed.

Similarly, in November new WireLurker and Masque Attack malware were detailed, both of which require users to either jailbreak their iOS device or to turn off OS X's Gatekeeper, which similarly limits Macs to only run software signed by a developer verified by Apple.

Google's Android has better malware than iOS

The Inception malware targeting Jailbroken iOS devices appears to be far less useful than the corresponding Android APK package, which also portrayed itself as a WhatsApp update users could install.

Blue Coat detailed that "the apparent main purpose of this malware is to record phone call audio. Recordings are stored as *.mp4 files, and uploaded to the attackers periodically," using the CloudMe internet storage service.

While unrelated to Apple's iCloud, Steve Jobs negotiated the purchase of the iCloud brand name from Sweden's Xcerion in 2011, just months before he debuted new iCloud features alongside iOS 5 and OS X Lion. The company subsequently rebranded itself as CloudMe. The malware appears to simply be using the cloud service for storage of the data it steals from Android users.

In addition to using the CloudMe service to host recordings of phone conversations stolen from infected Android phones, the Inception malware on Android "is able to collect a lot of other information," the security firm detailed, ranging from the user's account data and location to their contacts and calendar, remote and locally-saved files, audio from the microphone, incoming and outgoing calls, the user's browser bookmarks and incoming texts.

"Through the encrypted C&C protocol," the firm added, "the attackers can issue commands and binary updates to the malware."

Inception Android


Kaspersky Lab also detailed the same espionage network, naming it "Cloud Atlas." The firm notes that the Inception/Cloud Atlas malware campaign appears to be a reanimated version of the similar "Red October" attacks it first described in 2012, although the latest version uses new, more sophisticated measures to avoid detection.

While Inception/Cloud Atlas appears to specifically target diplomats and government agents, Android now has so many active vulnerability exploits that Bluebox Labs has developed a software tool for Google Play uses to scan their devices to identify a series of problems.

Last month, Bluebox examined a dozen new Android tablets currently being promoted by major U.S. retailers as holiday specials, finding "shocking" security flaws, malware and active backdoors installed on every one of the low priced devices.
«134

Comments

  • Reply 1 of 75
    The subtitle says Most iOS malware requires a jailbreak
    implying there is iOS malware that infects normal iOS devices.

    Name some.
  • Reply 2 of 75
    robmrobm Posts: 1,068member
    God, imagine you're a hacker and having to analyse all the crap that people to speak to each other to identify something of use.
    Jeez.

    Yet another reason not to Jailbreak.
  • Reply 3 of 75
    jungmarkjungmark Posts: 6,926member
    tommcin wrote: »
    The subtitle says Most iOS malware requires a jailbreak
    implying there is iOS malware that infects normal iOS devices.

    Name some.

    Well if he wrote "All ios malware requires a jailbreak," some fool would find one obscure one and then label him a fanboy Apple MFer.

    Still don't jailbreak your phone.
  • Reply 4 of 75
    sflocalsflocal Posts: 6,092member

    Well, the link to the posted seems to have been taken down.  Me think maybe them prominently including iOS there when it really should never have been might have been a bit too much for them?  I was gonna write the author a blunt email about his click-bait tactics.

  • Reply 5 of 75

    That's the last straw. Time to go back to a feature phone.

     

    ;) 

  • Reply 6 of 75
    sockrolidsockrolid Posts: 2,789member

    Originally Posted by AppleInsider View Post



    ... so sophisticated and comprehensive that it could only have been developed with the backing of a well resourced country," ...

     

    Well that excludes North Korea.  

    Where hackers hold "Will Hack For Rice" signs in the streets.

  • Reply 7 of 75
    malaxmalax Posts: 1,598member

    Those jailbreak percentages seems incredibly high to me.  Over half of all 3GSs??  Who are these jailbreakers?  Is the answer something like "Everyone in India and China because..."?  Because the percentage of iDevice owners who are risk-tolerant teens/college kids and hacker nerds can't be that high.  Most of the people I know with iPhones would have no idea what I was talking about if I said "jailbreak."  (And I'm not that old.)

  • Reply 8 of 75

    Good thing a normal person, whatever platform they are on, doesn't have to worry about this. 

     

    1.) Its narrowly focused at diplomats.  2.) This is a phishing attack so the user has to be an idiot and actively click on a link in their email or text message.

     

    How many diplomats could there possibly be in the world? 38,000?  There are 193 countries in the UN, so lets say there is one diplomat for every other country (there isn't).  That would be 37,249.  So lets round up to 38,000 if every single diplomat on the planet was infected.

     

    38,000 may seem like a lot, but it's not when there are billions and billions of smart phones and Windows machines out there.

     

    So to avoid this it's pretty simple.  1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

  • Reply 9 of 75
    Quote:

    Originally Posted by RobM View Post



    God, imagine you're a hacker and having to analyse all the crap that people to speak to each other to identify something of use.

    Jeez.



    Yet another reason not to Jailbreak.



    I think the government should set aside a few millions for some psychological support for those poor hackers. Sorting through such amounts of stupidity must destroy the human psyche.

  • Reply 10 of 75
    Originally Posted by jungmark View Post

    Well if he wrote "All ios malware requires a jailbreak," some fool would find one obscure one and then label him a fanboy Apple MFer.

     

    Originally Posted by TechLover View Post

    Good thing a normal person, whatever platform they are on, doesn't have to worry about this. Regardless, DED is not going to pass up any opportunity to trash everything not Apple.  Be afraid says Daniel, be verrrrrrry afraid.

     

    Looks like you nailed it, jungmark.

  • Reply 11 of 75
    Quote:

    Originally Posted by TechLover View Post

     

    Good thing a normal person, whatever platform they are on, doesn't have to worry about this. 

     

    1.) Its narrowly focused at diplomats.  2.) This is a phishing attack so the user has to be an idiot and actively click on a link in their email or text message.

     

    How many diplomats could there possibly be in the world? 38,000?  There are 193 countries in the UN, so lets say there is one diplomat for every other country (there isn't).  That would be 37,249.  So lets round up to 38,000 if every single diplomat on the planet was infected.

     

    38,000 may seem like a lot, but it's not when there are billions and billions of smart phones and Windows machines out there.

     

    So to avoid this it's pretty simple.  1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

     

    Regardless, DED is not going to pass up any opportunity to trash everything not Apple.  Be afraid says Daniel, be verrrrrrry afraid.




    You VASTLY underestimate the amount of diplomats. If nothing else, any decent US embassy has dozens of employees holding blue passports. You know, "diplomatic" ones. That's what they say on the cover.

    Don't forget that there also are diplomats to things like the Order of Malta, the European Commission, the European Union, the European Council (three very different entities). Not to mention the fact that you probably would want to also put the families of these diplomats under surveillance, which makes them targets. They hold blue passports themselves, though, so you could count them as "quasi-diplomats". In the specific case of partners of diplomats, they are in effect diplomats themselves anyway. Ever been to a diplomatic cocktail, say, held by the Cultural Attache of Sweden, who happens to have this nice blonde tall wife  (Hello Cliche, how have you been lately?), it's quite likely she organized the details (and that is a full time job).

     

    Source, personal experience ;)

  • Reply 12 of 75
    Quote:

    Originally Posted by Tallest Skil View Post

     

     

     

    Looks like you nailed it, jungmark.




    Well, I wonder how long a troll can be exposed to DED before the sheer amount of mental reeducation material turns him to the Fruity Side.

     

    Hey, I'm just saying.

  • Reply 13 of 75

    Random Question:

     

      First of all, I love my iPhone and the thought that it's pretty solid with the encryption and locking.  Meaning, that if I don't unlock it, no one else will.  It's great that Apple even promotes this and states that they can't unlock it either.  So here's my question - I've installed profiles/certificates from my corporation and downloaded Mobile Iron so that I can receive my corporate email on my personal iPhone.  Does this in any way weaken my device security?  If my corporation was under attack, or Mobile Iron, etc... would that open me up to problems or could those aspects be leveraged to get to the rest of my iPhone?

  • Reply 14 of 75
    Quote:

    Originally Posted by lightknight View Post

     
    Quote:
    Originally Posted by TechLover View Post

     

    Good thing a normal person, whatever platform they are on, doesn't have to worry about this. 

     

    1.) Its narrowly focused at diplomats.  2.) This is a phishing attack so the user has to be an idiot and actively click on a link in their email or text message.

     

    How many diplomats could there possibly be in the world? 38,000?  There are 193 countries in the UN, so lets say there is one diplomat for every other country (there isn't).  That would be 37,249.  So lets round up to 38,000 if every single diplomat on the planet was infected.

     

    38,000 may seem like a lot, but it's not when there are billions and billions of smart phones and Windows machines out there.

     

    So to avoid this it's pretty simple.  1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

     

    Regardless, DED is not going to pass up any opportunity to trash everything not Apple.  Be afraid says Daniel, be verrrrrrry afraid.




    You VASTLY underestimate the amount of diplomats. If nothing else, any decent US embassy has dozens of employees holding blue passports. You know, "diplomatic" ones. That's what they say on the cover.

    Don't forget that there also are diplomats to things like the Order of Malta, the European Commission, the European Union, the European Council (three very different entities). Not to mention the fact that you probably would want to also put the families of these diplomats under surveillance, which makes them targets. They hold blue passports themselves, though, so you could count them as "quasi-diplomats". In the specific case of partners of diplomats, they are in effect diplomats themselves anyway. Ever been to a diplomatic cocktail, say, held by the Cultural Attache of Sweden, who happens to have this nice blonde tall wife  (Hello Cliche, how have you been lately?), it's quite likely she organized the details (and that is a full time job).

     

    Source, personal experience ;)


    Fair enough, I will concede to your personal experience.

     

    Let's increase the number by an order of magnitude and then multiply that by 3 so that is 1,114,000 - not an insignificant number of infections if every single diplomat is infected.  It seems unlikely that every single diplomat would be infected though.  Still its potentially a bigger number then I assumed.

     

    But the most important thing that is going unmentioned is that to avoid this it's pretty simple.  

     

    1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

     

    Seems simple enough to me.

  • Reply 15 of 75
    mjtomlinmjtomlin Posts: 2,673member
    Quote:

    Originally Posted by tlevier View Post

     

    Random Question:

     

      First of all, I love my iPhone and the thought that it's pretty solid with the encryption and locking.  Meaning, that if I don't unlock it, no one else will.  It's great that Apple even promotes this and states that they can't unlock it either.  So here's my question - I've installed profiles/certificates from my corporation and downloaded Mobile Iron so that I can receive my corporate email on my personal iPhone.  Does this in any way weaken my device security?  If my corporation was under attack, or Mobile Iron, etc... would that open me up to problems or could those aspects be leveraged to get to the rest of my iPhone?




    No... whatever app your using is sandboxed from the rest of the system. The security of the communications between that app and its server are completely separated from iOS.

  • Reply 16 of 75
    Quote:
    Originally Posted by TechLover View Post

     

    Good thing a normal person, whatever platform they are on, doesn't have to worry about this. 

     

    1.) Its narrowly focused at diplomats.  2.) This is a phishing attack so the user has to be an idiot and actively click on a link in their email or text message.

     

    How many diplomats could there possibly be in the world? 38,000?  There are 193 countries in the UN, so lets say there is one diplomat for every other country (there isn't).  That would be 37,249.  So lets round up to 38,000 if every single diplomat on the planet was infected.

     

    38,000 may seem like a lot, but it's not when there are billions and billions of smart phones and Windows machines out there.

     

    So to avoid this it's pretty simple.  1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

     

    Regardless, DED is not going to pass up any opportunity to trash everything not Apple.  Be afraid says Daniel, be verrrrrrry afraid.




    Blue Coat actually reported it as a "Malware Attack Targeted at Military, Diplomats, and Business Execs," while Ars simplified things by saying it targeted diplomats. The reality is that this sophisticated attack was designed to automate spying over large numbers of high profile, valuable targets, but like the cheaper packages sold for ~$300, it uses Windows and Android exploits that can be used against anyone.

     

    Saying users should "not click on random links" is a very ignorant response given the history of whom malware has affected over the last couple decades. Also, just because you might not yourself be at risk from Android doesn't mean that you won't be affected when your colleagues, company executives and government workers fall prey to sophisticated spying attacks that will harm you.

     

    The point is that Apple has pursued policies that have greatly reduced risk for its users to nearly zero, while Google has pursued policies that have created a mobile platform that is more dangerous and at risk than Windows was in its malware heyday.

     

    Over the last 6 years, we've been force fed lies by Android apologists in the media who insisted that Apple's approach was wrong and the Google is right and that there should be no efforts to maintain security because open is wonderful. That was as wrong as you are today.

     

    If you don't like a spade being called a spade, maybe you should read "news" that tickles your ears somewhere else.  

  • Reply 17 of 75
    Quote:

    Originally Posted by TechLover View Post

     

     

     

    1.)  Don't be a diplomat.  And 2.) Don't click on random links in your email and text messages.

     

    Seems simple enough to me.


    "Don't be a diplomat" seems like a bizarre piece of advice.

     

    The part about clicking random links, however, I couldn't agree more. After the years of phishing attacks we've endured, why does it still happen?!

    Shouldn't evolution have caused the apparition of a new gene of "doesn't click on random links" in people?

  • Reply 18 of 75
    Quote:

    Originally Posted by Corrections View Post

     

    Saying users should "not click on random links" is a very ignorant response given the history of who malware has affected over the last couple decades. 


    People do click on random links, though, and it is a frightening situation in 2014... soon 2015.

  • Reply 19 of 75
    mjtomlinmjtomlin Posts: 2,673member
    Quote:

    Originally Posted by TechLover View Post

     

    1.) Its narrowly focused at diplomats.  


     

    Huh? Which part of "military, diplomats and executives" did you miss?

     

    Diplomats were used as the example because a few were mentioned in one of the articles relating to this issue.

  • Reply 20 of 75
    mjtomlinmjtomlin Posts: 2,673member
    Quote:

    Originally Posted by malax View Post

     

    Those jailbreak percentages seems incredibly high to me.  Over half of all 3GSs??  Who are these jailbreakers?  Is the answer something like "Everyone in India and China because..."?  Because the percentage of iDevice owners who are risk-tolerant teens/college kids and hacker nerds can't be that high.  Most of the people I know with iPhones would have no idea what I was talking about if I said "jailbreak."  (And I'm not that old.)




    I'm pretty sure are those are devices mainly in China and the stats are from one single analytics platform that is probably popular among developers of jailbroken apps.

Sign In or Register to comment.