{
	"id": "2d5a98e2-3648-42f6-97f5-7f3e7f5da0ba",
	"created_at": "2026-04-06T00:21:22.47259Z",
	"updated_at": "2026-04-10T03:30:32.98636Z",
	"deleted_at": null,
	"sha1_hash": "0586d4c6f20c4b3c90eddb4c54904f6f7d6e5c60",
	"title": "Phishing Sites Distributing IOS \u0026 Android Surveillanceware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 555948,
	"plain_text": "Phishing Sites Distributing IOS \u0026 Android Surveillanceware\r\nBy Lookout\r\nPublished: 2016-07-15 · Archived: 2026-04-05 12:47:39 UTC\r\nFor the past year, Lookout researchers have been tracking Android and iOS surveillanceware, that can exfiltrate\r\ncontacts, audio recordings, photos, location, and more from devices. As has been previously reported, some\r\nversions of the Android malware were present in the Google Play Store. The iOS versions were available outside\r\nthe app store, through phishing sites, and abused the Apple Developer Enterprise program.\r\nBackground: Android surveillanceware\r\nEarly last year, Lookout discovered a sophisticated Android surveillanceware agent that appears to have been\r\ncreated for the lawful intercept market. The agent appears to have been under development for at least five years\r\nand consists of three stages. First, there is a small dropper, then a large second stage payload that contains multiple\r\nbinaries (where most of the surveillance functionality is implemented), and finally a third stage which typically\r\nuses the DirtyCOW exploit (CVE-2016-5195) to obtain root. Security Without Borders has recently published an\r\nanalysis of this family, independently, through their blog.\r\nSeveral technical details indicated that the software was likely the product of a well-funded development effort\r\nand aimed at the lawful intercept market. These included the use of certificate pinning and public key encryption\r\nfor C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the\r\ncomprehensive and well implemented suite of surveillance features.\r\nEarly versions of the Android application used infrastructure which belonged to a company named Connexxa\r\nS.R.L. and were signed using the name of an engineer who appears to hold equity in Connexxa.\r\nThis engineer’s name is also associated with a company called eSurv S.R.L. eSurv’s public marketing is centered\r\naround video surveillance software and image recognition systems, but there are a number of individuals claiming\r\nto be mobile security researchers working at the company, including one who has publically made claims to be\r\ndeveloping a mobile surveillance agent.\r\nMoreover, eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014. This business unit and\r\nthe eSurv software and brand was sold from Connexxa S.R.L. to eSurv S.R.L. on Feb 28, 2016.\r\nLookout notified Google of the potential threat shortly after it was discovered. Together, during the latter half of\r\n2018, we worked to remove the apps from the Play store while it was being deployed in the wild.\r\niOS development\r\nhttps://blog.lookout.com/esurv-research\r\nPage 1 of 5\n\nAnalysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS\r\nport. So far, this software (along with the Android version) has been made available through phishing sites that\r\nimitated Italian and Turkmenistani mobile carriers.\r\nWind Tre SpA - an Italian telecom operator\r\nTMCell - the state owned mobile operator in Turkmenistan\r\nDeployment to users outside Apple’s app store was made possible through abuse of Apple’s enterprise\r\nprovisioning system. The Apple Developer Enterprise program is intended to allow organizations to distribute\r\nproprietary, in-house apps to their employees without needing to use the iOS App Store. A business can obtain\r\naccess to this program only provided they meet requirements set out by Apple. It is not common to use this\r\nprogram to distribute malware, although there have been past cases where malware authors have done so.\r\nhttps://blog.lookout.com/esurv-research\r\nPage 2 of 5\n\nEach of the phishing sites contained links to a distribution manifest, which contained metadata such as the\r\napplication name, version, icon, and a URL for the IPA file.\r\nTo be distributed outside the app store, an IPA package must contain a mobile provisioning profile with an\r\nenterprise’s certificate. All these packages used provisioning profiles with distribution certificates associated with\r\nthe company Connexxa S.R.L.\r\nCertificate Used\r\nThe apps themselves pretended to be carrier assistance apps which instructed the user to “keep the app installed on\r\nyour device and stay under Wi-Fi coverage to be contacted by one of our operators”.\r\nhttps://blog.lookout.com/esurv-research\r\nPage 3 of 5\n\nOne of the packages after initial launch\r\nThe iOS variant is not as sophisticated as the Android version, and contained a subset of the functionality the\r\nAndroid releases offered. In particular, these packages have not been observed to contain or to download exploits\r\nwhich would be required to perform certain types of activities on iOS devices.\r\nEven without capabilities to exploit a device, the packages were able to exfiltrate the following types of data using\r\ndocumented APIs:\r\nContacts\r\nAudio recordings\r\nPhotos\r\nVideos\r\nGPS location\r\nDevice information\r\nIn addition, the packages offered a feature to perform remote audio recording.\r\nhttps://blog.lookout.com/esurv-research\r\nPage 4 of 5\n\nThough different versions of the app vary in structure, malicious code was initialized at application launch without\r\nthe user’s knowledge, and a number of timers were setup to gather and upload data periodically.\r\nUpload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2. The iOS apps leverage\r\nthe same C2 infrastructure as the Android version and use similar communications protocols. Push notifications\r\nwere also used to control audio recording.\r\nLookout has shared information about this family with Apple, and they have revoked the affected certificates. As a\r\nresult, no new instances of this app can be installed on iOS devices and existing installations can no longer be run.\r\nLookout customers are also protected from this threat on both Android and iOS.\r\nI will be presenting my findings at the Kaspersky Security Analyst Summit in Singapore this week.\r\nSource: https://blog.lookout.com/esurv-research\r\nhttps://blog.lookout.com/esurv-research\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.lookout.com/esurv-research"
	],
	"report_names": [
		"esurv-research"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434882,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0586d4c6f20c4b3c90eddb4c54904f6f7d6e5c60.pdf",
		"text": "https://archive.orkl.eu/0586d4c6f20c4b3c90eddb4c54904f6f7d6e5c60.txt",
		"img": "https://archive.orkl.eu/0586d4c6f20c4b3c90eddb4c54904f6f7d6e5c60.jpg"
	}
}