A fake version of WhatsApp for iPhone users was reportedly used to gather information of targeted users. The users were tricked into installing configuration files or Mobile Device Management (MDM) profiles to push potential malware.
According to a report by a cybersecurity research lab at the University of Toronto, Citizen Lab, which worked in collaboration with Motherboard, a specific domain—config5-dati[.]com—and an IP address that was related to the attacks were registered to a company called Cy4Gate in Italy.
However, a Cy4Gate spokesperson said in a statement to Motherboard that the config domains are not attributable to the company. However, the check3[.]it domain that was discovered by Motherboard did belong to Cy4Gate, the spokesperson said.
“We strongly oppose abuse from spyware companies, regardless of their clientele. Modifying WhatsApp to harm others violates our terms of service. We have and will continue to take action against such abuse, including in court,” a WhatsApp spokesperson told Motherboard.
The page for the fake iOS WhatsApp version, which is unavailable as of now, was made to look like an official WhatsApp site, complete with logos and branding matching that of the messaging app. It also enlisted steps to install the app. Users had to install a configuration file via the system settings menu on their iPhone, which raises questions as it is recommended to install apps directly from the App Store.
Security company ZecOps revealed in a tweet last week that Apple patched two vulnerabilities in iOS that may have been exploited, including that of a malicious app that may be able to elevate privileges.
And in iOS world: iOS 14.4 patched two vulnerabilities that may have been exploited in the wild: Including both WebKit, and Kernel: hinting that they might have been used in 1-click attacks. To protect yourself: we advise to update to the latest iOS version. pic.twitter.com/4gFl63FdUK
— ZecOps (@ZecOps) January 26, 2021
“To help keep chats safe, we recommend that people download WhatsApp from the app store for their phone’s platform. In addition, we may temporarily ban people using modified WhatsApp clients we detect to help encourage people to download WhatsApp from an authoritative source,” the WhatsApp spokesperson added.
However, for users who did download the fake version of the messaging app, it was used to send information such as Unique Device Identifier (UDID), which is a unique ID assigned to each iOS device by Apple and International Mobile Equipment Identity (IMEI) back to attackers. Citizen Lab researcher Bill Marczak suggests that the attack was targeted and doesn’t look like the hackers were trying to spread it around. However, it remains who were being targeted with the spyware.
“Citizen Lab researchers said they could not gather data on the next stage of the attack, meaning it is unclear exactly what other data the hackers would have been able to exfiltrate from a target device,” Motherboard reported.