Despite reports that iOS devices must be jailbroken before compromise, researchers found other ways to install the spyware.
Despite reports that iOS devices must be jailbroken before compromise, researchers found other ways to install the spyware.

A mobile security firm warned that spyware, sold by Italian company Hacking Team, can be installed on any iOS device, whether jailbroken or not.  

While previous research showed that Hacking Team's surveillance software, called RCS, was designed to work on jailbroken Apple devices, the recent hack and subsequent leak of Hacking Team's proprietary information allowed researchers at Lookout to delve further into the spyware's capabilities.

Of note, Lookout detailed Friday how, as recently as last week, Hacking Team “possessed an Apple enterprise certificate, which allows apps signed with that certificate to be installed on any iOS device,” the blog post said.

Luckily, Apple revoked the certificate, but not before the Hacking Team used it to slip RCS into an iPhone device's pre-installed Newsstand app. The spyware installed itself as a newspaper in Newsstand "with an invisible icon and a blank app name." It then asked for permissions, like accessing the user's contacts, location and calendar, Lookout explained in its blog. While the process required the user to “trust” the app before running it on the device (since it was not from the official App Store), “recent research states that people are getting increasingly conditioned to ignore these security warnings,” Lookout noted.

The firm also explained that apps from outside the official App Store can be downloaded on non-jailbroken devices via "sideloading."

“Through apps signed by enterprise or developer certificates, iOS users can get apps installed on their devices to circumvent the fundamental security measures Apple has built into the App Store,” the blog post said. Therefore, Hacking Team can push spyware to unsuspecting iOS users through an OS X app that “sideloads an iOS app automatically to a device when it's plugged in via USB” – or simply by getting users to click a malicious link on their mobile device which leads them to the spyware.

Of RCS' capabilities, Lookout highlighted that the new insight, “opens up the pool of potential victims way beyond the roughly 8 percent of people globally who have jailbroken their devices.”

Furthermore, security researchers warned users last June that the Galileo variant of Remote Control System (RCS), in particular, was capable of targeting all major mobile platforms: Android, Windows Phone, BlackBerry and iOS – though the spyware was found to work on only jailbroken Apple devices, at the time.

Despite concerns about the company's business practices, including selling its software to Ethiopia and Russia's governments, Hacking Team's Chief Operating Officer David Vincenzetti maintained in a Monday statement published by journalist Matthew Keys, that “the lawful surveillance system that Hacking Team has provided to law enforcement for more than a decade is critical to the work of preventing and investigating crime and terrorism.”

Vincenzetti later added that the company's “top priority," following its breach, has been to update its software RCS so customers can “quickly secure their current surveillance infrastructure.”

“We expect to deliver this update immediately. This update will secure once again the ‘Galileo' version of Remote Control System,” he said.