SecureMac, Inc.

Facebook Finds New iOS Spyware Phenakite

April 26, 2021

The iOS spyware threat Phenakite was discovered by Facebook. In this article: What it is | How it works | What iOS users should know.

Facebook Finds New iOS Spyware Phenakite

Discovery underscores risks of iOS configuration profiles

Facebook security researchers have discovered a new iOS spyware threat which they’re calling “Phenakite”. They believe that the malware was developed by an Advanced Persistent Threat (APT) group in the Middle East. 

Facebook has put a stop to the immediate danger, but Phenakite is still worth discussing for a couple of reasons. For one thing, iOS malware is so rare that it’s always noteworthy when a new variant is discovered! But as we’ll see, Phenakite is significant for another reason as well. It highlights an iOS infection vector that every iPhone user should be aware of.

In this article, we’ll talk about:

What is Phenakite iOS spyware?

Phenakite is a spyware suite for iOS. Facebook security teams found it hidden in a trojanized chat app called Magic Smile. They believe that the spyware is the work of Arid Viper, an APT linked to the Palestinean militant organization Hamas.

Here are some of the things that Phenakite can do when fully active:

  • Access photos from the camera roll
  • Take photos with the device’s camera
  • View the user’s contacts
  • Access text messages and WhatsApp media data
  • Record audio with the iPhone’s microphone
  • Access database records and specific files
  • Locate documents and app data
  • View device metadata
  • Direct users to malicious iCloud and Facebook phishing sites

Phenakite is thus able to gather extensive data from a compromised iOS device, and then send it on to servers controlled by the attackers.

How does Phenakite spread?

Facebook’s security teams say that Phenakite used a two-stage approach to installation. (For the technically inclined, the complete threat report is interesting and well worth reading in full.)

The attackers abused iOS configuration profiles for the initial compromise: to get Phenakite onto an iPhone. Configuration profiles are used in enterprise environments to set up employees’ devices. IT departments often use them to set up company-issued devices with custom settings. Configuration profiles can also be used for testing new apps.

Arid Viper first targeted specific individuals from rival political groups, the military, and other organizations. Using social engineering tactics, they then tricked their targets into visiting websites that hosted Phenakite. They used third-party development sites as well as their own infrastructure. Victims who went to the sites were shown a prompt to install an iOS configuration profile. If they accepted, this allowed “a device-specific signed version of the [Magic Smile] iOS app to be installed on the device”.

Interestingly, because Arid Viper was using valid Apple Developer certificates, they didn’t have to use a jailbreak to get their custom app onto the targets’ iPhones. As Facebook notes, “This general installation flow is expected and intended for use by developers and enterprises”. 

How Phenakite extends its access

Once on an iPhone, a malicious app is still subject to normal iOS sandboxing restrictions. For this reason, Arid Viper also included the Osiris jailbreak and the Sock Port exploit along with Phenakite. This is the second stage of the installation process; the iOS jailbreak and exploit are what gives Phenakite such extensive access to a user’s device.

Phenakite, then, can only affect devices that are vulnerable to the aforementioned jailbreak and exploit. To quote Facebook:

Phenakite is capable of using Osiris to jailbreak all 64 bit devices on iOS 11.2 to 11.3.1 and Sock Port to extend this to devices running iOS 10.0 to 12.2 (and potentially 12.4 and greater).

Configuration profiles and iOS security

As we mentioned at the outset, Facebook has already taken action to disrupt the activities of Arid Viper. They’ve taken down the associated social media accounts, blocked access to the domains that were being used to spread the spyware, and tried to alert anyone who they believe was affected by the surveillance campaign.

However, the incident is a great opportunity to review some iOS security fundamentals — especially around the issue of configuration profiles and app safety. Here are four key takeaways that all iPhone users should be aware of:

  1. Bad actors can get developer certificates

    We’ve been conditioned to think of the App Store as a safe place: a “walled garden”. But the fact is that there are millions of people with Apple Developer credentials. These credentials can be bought for a few dollars a month — and they can be stolen. Malicious actors can and do use valid developer accounts to do bad things. While Apple does what it can to revoke the credentials of people who misuse them, they can’t catch everything (concerned iOS developers, for example, have been warning about the proliferation of scam apps in the App Store). In short, don’t assume that a configuration profile or an app is safe just because it’s coming from someone with an Apple Developer ID.

  2. Updates keep you safe

    We’ve said it before, but we can’t overemphasize the importance of regularly updating your software. The case of Phenakite is a perfect example of why this is so essential. True, the bad guys used social engineering to get their spyware onto the targets’ iPhones. But if the victims had been running patched, up-to-date versions of iOS, the Osiris jailbreak and the Sock Port exploit wouldn’t have worked, and Phenakite would have been dead in the water! In other words, the only reason the second stage of the spyware infection went forward was because of out-of-date software. This is why turning on automatic updates is such a crucial step when you’re setting up a new iPhone.

  3. Jailbreaks carry risks

    The debate over iOS jailbreaking is something we’ve discussed before, and it certainly elicits strong opinions. But while Apple has taken steps to stop the phenomenon, iOS jailbreaks still exist, and people still jailbreak their iPhones. We won’t go as far as to say that no one should ever jailbreak an iPhone. But all iOS users should be aware that jailbreaks carry risks. While the jailbreak community itself is interested in research and device customization, public jailbreaks (as in the case of Phenakite) can also be used by bad actors to gain elevated privileges on vulnerable devices. So unless you know exactly what you’re doing, and are comfortable with the risks involved, your best bet is to keep your software up to date … and to steer clear of jailbreaks.

  4. Configuration profiles can be abused

    As Phenakite shows, iOS configuration profiles can be abused by bad actors — and the results can be severe. Keep this in mind. If someone tries to get you to install one on your device, be very, very careful. Of course, there are perfectly legitimate uses for configuration profiles. If your workplace IT group wants you to install one on a company-provided device, that’s totally normal. If your developer friend wants you to install one to help her test a new app, you can be reasonably sure that there’s no ill intent. But you definitely shouldn’t be installing a configuration profile that comes from a link sent to you by an unknown party, or that you just found on some random website! To see if you have a configuration profile installed on your iOS device, go to Settings > General > Profiles & Device Management. If you don’t see anything there, there are no profiles installed on your device. If you do see one, you can delete the profile to remove all settings, apps, and data associated with it.

Get the latest security news and deals