Threat Intelligence

‘Operation Pawn Storm’ espionage campaign infecting iOS devices

“Operation Pawn Storm,” an espionage campaign initially profiled in October, has a new tactic for spying on targets' communications - installing spyware on acquaintances' iOS devices.

This new dimension of the campaign particularly focuses on infecting the devices of immediate connections of military, government, defense industry, and media professionals, Trend Micro researchers found. These intimate acquaintances serve as “pawns” in the campaign that allow the attackers to eavesdrop on their actual targets.

The logic behind this, explained Jon Clay, senior manager of global threat communications, Trend Micro, in an interview with, is that these personal connections will eventually be in the same room as the intended targets or will exchange text messages with them, which would provide attackers with their desired intelligence.

“What we are suspicious of is that they (the attackers) are looking to start recording conversations because these people have sidebar conversations regularly,” Clay said.  “(They're having) Off-the-record conversations, and the attackers are probably looking for intelligence in those conversations.”

An infection begins with a phishing email, typically based around an event the recipient might be interested in attending. A link within the email directs victims to a webpage with instructions to install an app. If clicked and downloaded, the malicious app will run silently in the background, capturing text messages, contact lists, pictures and geolocation data.

The phishing email and code are both written in English, indicating a clear preference for English-speaking targets, Clay said.

Trend Micro identified two different apps, “XAgent” and “MadCap.” XAgent's app icon remains hidden on iOS 7 devices and will restart immediately if attempted to be terminated by killing the process. However, in iOS 8, the app's icon is visible, and it does not restart automatically. MadCap is similar to XAgent, but differs in that it can only be installed on jailbroken devices.

The attackers' haven't been identified yet, although Clay said Trend Micro was continuing to collect intelligence.

“Certainly we're going to see this group be active in this particular campaign,” Clay said. “It seems to be pretty effective for them.”

Until the attackers have been identified and stopped, Clay suggested installing security apps on phones to ensure hidden apps are not running in the background.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.