{
	"id": "65dd5882-3c80-46fe-9ffe-e2412ca33619",
	"created_at": "2026-04-06T00:06:56.797466Z",
	"updated_at": "2026-04-10T03:21:40.634961Z",
	"deleted_at": null,
	"sha1_hash": "8bf142b0c9b91c69529884cc5600c5e6e513b550",
	"title": "Advanced Mobile Malware Campaign in India uses Malicious MDM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1150961,
	"plain_text": "Advanced Mobile Malware Campaign in India uses Malicious\r\nMDM\r\nBy Paul Rascagneres\r\nPublished: 2018-07-12 · Archived: 2026-04-05 13:59:43 UTC\r\nThursday, July 12, 2018 15:00\r\nSummary\r\nCisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India.\r\nThe attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At\r\nthis time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done\r\nthrough physical access to the devices, or most likely by using social engineering to entice a user to register. In\r\nsocial engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a\r\ndevice. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data\r\ninterception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3\r\ncertificates associated with this actor when Talos reached out, and quickly moved to action the two others once\r\nTalos tied them to the threat.\r\nAn MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications\r\nthat have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the\r\nfunctionality of the device, one steals SMS message contents, and the remaining two report the location of the\r\ndevice and can exfiltrate various data.\r\nThe attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging\r\napps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The\r\npurpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code\r\ninserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone\r\nnumber, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such\r\ninformation can be used to manipulate a victim or even use it for blackmail or bribery.\r\nThanks to the logs located on the MDM servers and the malware's command and control (C2) server, we were able\r\nto determine that the malware has been in use since August 2015. The campaign targeted only a few select devices\r\n(13) that are all located in India. The attacker left essential data on the servers, such as emails and usernames. As\r\npart of the attacker's development and testing it appears that they compromised their device — we observed a\r\ndevice named \"test\" or \"mdmdev.\" The log files we identified contain the phone number of the device. The number\r\noriginates from India and uses the \"Vodafone India\" network with roaming capability disabled. With all of this\r\ninformation in mind, we assume with high confidence that the malware author works out of India.\r\nMDM is becoming more popular throughout large enterprises, and users should be aware that installing additional\r\ncertificates on their device to allow remote management can result in potential malicious activity. By installing a\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 1 of 14\n\ncertificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like\r\nthis. Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator\r\naccess to their device, passwords, etc. This must be done with great care in order to avoid security issues and\r\nshould not be something the average home user does.\r\nThe following information warns the security community and users of how this attack works. The likely use of\r\nsocial engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links\r\nand verify identities and legitimacy of requests to access devices.\r\nThe overall workflow of the deployment method and capabilities is pictured below.\r\niOS MDM infrastructure\r\nMy tiny MDM\r\nTalos identified two different MDM servers:\r\nhxxp://ios-certificate-update[.]com\r\nhxxp://www[.]wpitcher[.]com\r\nBoth servers above are based on the open-source projectmdm-server — a small iOS MDM server. MDM\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 2 of 14\n\nallows for operating system-level control of multiple devices from a centralized location. A remote\r\nadministrator can install or remove apps, install or revoke certificates, lock the device, or change password\r\nrequirements, among other things. The operator is able to uninstall legitimate applications such as Telegram\r\nand WhatsApp to install the malicious versions described in the next section.\r\nDevice enrollment\r\nEach step of the enrollment process needs some type of user interaction. That's why Talos assumes the attackers\r\nuse social engineering to get victims on the MDM. The first step for enrolling a device is to install the certificate\r\nauthority:\r\nIf the user clicks on \"Allow,\" the following message is displayed:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 3 of 14\n\nBy clicking on \"Install,\" the signature will switch to \"Verified:\"\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 4 of 14\n\nThe device is ready to be enrolled:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 5 of 14\n\nWe can control the installed profile:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 6 of 14\n\nThe attacker is now able to control the device. A pop-up appears when the attacker pushes a new app to the user\r\ndevice. Here is an example with the compromised Telegram app mentioned later in the article:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 7 of 14\n\nThis gives the attacker a significant level of control over the victim device(s). This process is used similarly to a\r\nlarge-scale enterprise using MDM solutions. It is likely that the user is advised that the certificate must be installed\r\nto allow enrollment. This is most likely performed via a social engineering mechanism, i.e. a fake tech support-style call.\r\nThe attacker used a domain which allowed them to try and fool the user. The use of \"ios-certificate-update[.]com\"\r\nmay make it easier to reassure the user that this is normal. Since we believe this attack is targeting devices in India\r\nthis is also something which a non-native English speaker may see as \"normal.\" The certificate and update naming\r\nconvention is also designed to trick the user.\r\nTechnical information about the MDM\r\nThe attacker left a lot of information behind, which allowed us to analyse files used by this MDM. First, the\r\ncertificate used by the MDM:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 8 of 14\n\nCA.crt:\r\nSerial Number: 13905745817900070731 (0xc0fb222544ceb74b)\r\nIssuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@mail.ru\r\nValidity\r\n Not Before: Sep 6 11:33:09 2017 GMT\r\n Not After : Sep 6 11:33:09 2018 GMT\r\nSubject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@mail.r\r\nThe certificate was issued in September 2017 and contains an email address located in Russia. Our investigation\r\nsuggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the\r\nidea of a \"classical Russian hacker.\" False flags are becoming more common in malware, both sophisticated and\r\nsimple. It's an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.\r\nIdentity.p12:\r\nSerial Number: 14177612590375883362 (0xc4c0ff88e475d262)\r\nIssuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=Aleksi.Dushku@mail.ru\r\nValidity\r\n Not Before: Jan 6 04:59:56 2018 GMT\r\n Not After : Jan 6 04:59:56 2019 GMT\r\nSubject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=Aleksi.Dushku@mail.ru\r\nThis is another certificate, which points to an apparent reference to Russia by using another mail.ru address.\r\nServer.csr:\r\nSubject: C=HR, ST=Hrvatska, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@ma\r\nIn this certificate, the attacker mentioned Hrvatska (\"Croatia\" in the Croatian language) with the same Russian\r\nemail.\r\nThe certificates are self-signed, or signed by the Comodo certificate authority.\r\nLog analysis\r\nOne of the most interesting pieces of information about the MDM is found in the log file. Because of this, we can\r\nconfirm the following points:\r\nThere are 13 compromised devices based off serial number\r\nAll the devices are located in India (based on the phone numbers and phone providers)\r\nPhone models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, iPhone 9.4\r\niOS versions: 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, 11.2.6\r\nAt this time, we don't know how the attacker enrolled the 13 targeted devices into the MDM. It could be\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 9 of 14\n\nthrough physical access to the phones, or by using social engineering, motivating the user to enroll their\r\ndevice.\r\nWe believe the attackers used their personal phone to test the MDM because they included devices named \"Test\"\r\nand \"mdmdev.\" These two devices share the same phone number and a name that is uncommon for a personal\r\nphone.\r\nThe phone number originates from India and is registered on the \"Vodafone India\" network provider. When the\r\ndevice was registered on the MDM server, roaming was disabled. We assess with high confidence that the author is\r\nbased out of in India.\r\niOS Applications\r\nMalicious applications using BOptions sideloading\r\nExplanation\r\nThe attacker's purpose appears to deploy malicious apps onto the 13 compromised devices. To do so, they decided\r\nto use the BOptions sideloading technique. The technique is describedhere. The purpose is to inject a dynamic\r\nlibrary into the legitimate app. The GitHub project was used by the attacker to create the malicious\r\nBOptionspro.dylib library held in the iOS package (.ipa file). The injection library can ask for additional\r\npermissions, execute code and steal information from the original application, among other things. Milan-based\r\ntechnology companyHackingTeam has previously used this technique.\r\nTelegram, WhatsApp \u0026 AppsSLoader\r\nIn this campaign we identified three compromised versions of apps using this trick hosted on the MDM server.\r\nAppsSLoader is seemingly harmless. The app was created to test the library injection. It simply opens a pop-up to\r\nthe user confirming the execution of the dynamic library. This was most likely created to test the effectiveness of\r\nthe library prior to malicious deployment.\r\nThe compromised versions of the Telegram and WhatsApp applications used in this campaign are more interesting\r\nand relevant. They first contain the same malicious code. The purpose is to send collected data to a C2 server\r\nlocated at hxxp[:]//techwach[.]com.\r\nThe malicious code checks permissions and asks for additional permissions if it does not already have them:\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 10 of 14\n\nPermission to access the user's contact list (PhnNumber::getContAccess)\r\nPermission to access the user's photos (PhnNumber::getPAccess)\r\nOne of the most relevant features of these compromised versions of the applications is the Telegram and\r\nWhatsApp message stealing feature. Here is the global workflow of it:\r\nFor Telegram:\r\nOpens 'tgdata.db', an SQLite3 database used by Telegram\r\nChecks for the key 'UPLOADED_CHAT' in the key store\r\nQueries \"select users_v29.phone_number, users_v29.uid from users_v29;\"\r\nQueries for \"select messages_v29.from_id AS oid,users_v29.first_name,\r\nusers_v29.last_name,users_v29.phone_number,messages_v29.message,messages_v29.mid,messages_v29.to_id\r\nfrom messages_v29 join users_v29 ON (messages_v29.from_id = users_v29.uid);\"\r\nParses results, storing off counts, timestamps, and other metadata.\r\nSends by posting to hxxp[:]//techwach[.]com\r\nQuery screenshot:\r\nFor WhatsApp:\r\nOpens 'ChatStorage.sqlite', the database used for WhatsApp messages\r\nQueries 'SELECT Z_PK,ZFROMJID,ZTOJID,ZPUSHNAME,ZTEXT,ZMESSAGEDATE FROM\r\nZWAMESSAGE WHERE Z_PK \u003e '%d''\r\nParses results, storing off counts, timestamps, and other metadata.\r\nSends by posting to hxxp[:]//techwach[.]com\r\nAdditionally, the malware is designed to be able to send the contacts, location, and images from the\r\ncompromised device.\r\nHere is the list of the PHP pages available on the techwach C2 server:\r\nall.php\r\ndyrKztORKwVWOGo.php\r\nget.php\r\nhh.php\r\ninfo.php\r\njDRucchWSoWQGpU.php\r\nUfmcRxYDaVVbrBl.php\r\nAnother intriguing aspect of this malware is the way in which the malicious code achieves periodic code\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 11 of 14\n\nexecution when the legitimate app bundled with it is running. One technique is to modify the app's code at\r\nruntime to execute the malicious code — this has been observed in previously analyzed iOS malware.\r\nInstead, this malware remains almost entirely independent of the app and gains execution by creating a\r\ntimer that eventually executes the malicious code in a background thread. From there, it schedules tasks to\r\nbe executed asynchronously in the background by leveraging the apps' background task queue. Ultimately,\r\nthis means that the malicious code is invisible to the user of the app, and can be easily reused alongside any\r\nreal application.\r\nPrayTime\r\nTalos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used\r\nto give the user a notification when it's time to pray. The malicious code connects to the domain voguextra[.]com.\r\nThe purpose is to download and display specific ads to the user. This app also leverages private frameworks to read\r\nthe SMS messages on the device it is installed on and uploads these to the C2 server.\r\nMyApp\r\nMyApp is a regular iOS app. However, the application does not do anything. It has almost no code associated with\r\nit other than standard iOS app runtime code. This could potentially be another testing app, but we're unable to\r\ndetermine the exact use. This app is non-malicious.\r\nTechwach C2 server\r\nThe malicious code within Telegram and WhatsApp sent collected data to the server techwach[.]com. The server\r\nhas been active since August 2015. Initially, the username used on the server was arnoldrex. Subsequently, this was\r\nchanged to chernobog (referencing a Slavic deity).\r\nConclusion\r\nThis investigation shows us that this attack targeted a very limited number (13) of users using iPhone devices in\r\nIndia. At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact\r\npurpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the\r\nuser to click \"ok\". This type of vector is very difficult to defend against since users can often be tricked into acting\r\nagainst their best interests. This is another important reminder that users must think twice before clicking on\r\nunsolicited links or requests and also that users should verify credentials from any unsolicited calls requesting they\r\ntake action on devices.\r\nThe attackers installed an open-source MDM and used this to deploy malicious code into secure chat applications\r\nsuch as Telegram and WhatsApp to surreptitiously retrieve the messages/chats, photos and user's location from the\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 12 of 14\n\nvictim's phone. Over a three-year period, the attackers remained under the radar — likely due to the low number of\r\ncompromised devices. All the technical details point to an actor based in the same country as the victims: India.\r\nThe attacker tried to mimic Russian hackers by using mail.ru email. However, we found testing devices enrolled\r\non the MDM with an Indian phone number and registered on an Indian provider.\r\nOnce a user has lost physical access to their phone, it's really a case of the attacker having a much easier playing\r\nfield for malicious activity. The fact that the attacker was also able to get devices onto his own malicious MDM\r\nshows that the attacker was indeed motivated to obtain initial access but also to maintain persistence across the\r\ndevices.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat\r\nactors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 13 of 14\n\nIOCs iOSApplications\r\n329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa\r\naef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa\r\n4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa\r\n624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa\r\ne3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa\r\nMDM Domains:\r\nios-certificate-update[.]com\r\nwww[.]wpitcher[.]com\r\nC2 Domains:\r\nVoguextra[.]com\r\nTechwach[.]com\r\nAdvertising Domain:\r\nvoguextra[.]com\r\nSource: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html"
	],
	"report_names": [
		"Mobile-Malware-Campaign-uses-Malicious-MDM.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bf142b0c9b91c69529884cc5600c5e6e513b550.pdf",
		"text": "https://archive.orkl.eu/8bf142b0c9b91c69529884cc5600c5e6e513b550.txt",
		"img": "https://archive.orkl.eu/8bf142b0c9b91c69529884cc5600c5e6e513b550.jpg"
	}
}