Probing the bowels of what he believed to be North Korean hacking architecture, American cybersecurity researcher Darien Huss found an outlier: iPhone software. It appeared at first glance to be a fairly mundane program, a mobile device management (MDM) tool. Such apps are typically used for businesses to remotely monitor and control employees' phones. But, according to Huss, it's most likely one of, if not the only, example of North Korean spyware for Apple's smartphone.

It's unlikely the MDM app was anything other than malicious, said Huss, an employee of cybersecurity company Proofpoint. Tellingly, it was located on a server believed to contain other hacking tools, in particular those for Microsoft Windows, that he'd linked to one of the bigger North Korean hacking groups, the researcher explained to Forbes.

If the iPhone tool is indeed a piece of spyware, Huss hasn't seen it used yet. He believes it's currently in development by that North Korean-linked hacker crew, though Proofpoint declined to provide additional details on his research.

"It's something to keep an eye on. I believe they're a huge group and if you think of them like a company they have development cycles," Huss added. "They assemble things internally and then at some point you need to deploy it... I think that's where we've caught them, in the testing phase."

There's one obvious limitation to the apparent malware: it would require an iPhone to be jailbroken before it could be installed. But once it's on the device, a malicious MDM can do a lot, allowing a remote hacker to pilfer location data, monitor phone calls and harvest call logs, amongst other surreptitious actions. Apple didn't respond to a request for comment on this article.

Huss said it's not entirely clear who developed the tool. "It seems like they may have purchased it from a development company, not developed in house," he added.

The link back to North Korean hackers resides in the other malware sitting on the same server as the Apple-targeting software, Huss said. They included Windows implants with custom code that contained significant similarities to malware used in a previous attack on South Korea, he noted.

"We're fairly certain it's a group that's linked to North Korea because there is some very convincing code overlap. That's one of the only pieces of evidence that we have pointing to them, but it would take very, very insider knowledge of this old implant to be able to recreate this overlap," Huss added.

North Korea attacks Android too

Whilst iPhones might be an attractive target for North Korea, it appears Androids are even more so. Cybersecurity company McAfee has detailed recent attacks on devices running the Google operating system by the so-called Lazarus group, linked to the Sony Pictures mega-breach of 2014, which the U.S. pinned on North Korea. In November, McAfee found an evil app that copied a legitimate one found on Google Play for reading the Bible in Korean. Spread via unknown means, it turned out to have hidden, malicious intent: providing backdoor access to the infected phone.

In January this year, McAfee said it had found Android malware sent via phishing attacks on Facebook and chat app KakaoTalk. Targets including journalists and North Korean defectors were sent links encouraging them to download two separate apps, one called Pray for North Korea, the other dubbed BloodAssistant, a health care app. Both would siphon off information including SMS messages and contacts, amongst other data, before passing them back to a hacker crew. McAfee said it couldn't determine the origin of the hackers, however, and did not link them to any North Korean crew, even if the targets gave some indication.

Attacks not slowing despite Korean deal

It may be that North Korea slows its assault on the outside world, in particular on South Korea and the U.S., following Kim Jong Un's sudden shift to peaceful negotiations in recent weeks.

Whilst Huss said it was too early to tell if there will be any change in North Korea's online behavior, he said there hadn't been any obvious abatement in attacks yet. "I have seen some activity since then so I know they haven’t just abruptly stopped," he added.

Source: forbes