Security news that informs and inspires

Meta: Bitter APT Espionage Attack Leveraged Apple’s TestFlight Service


Meta has cracked down on a cyber espionage operation where attackers convinced victims to download an iOS chat application via Apple’s legitimate TestFlight service, which is meant to help developers beta-test new applications.

The attackers, which Meta attributed to the known Bitter APT, operate out of South Asia and targeted victims in New Zealand, India, Pakistan and the UK with various social engineering tactics on social media platforms like Facebook with the end goal of deploying malware on their devices. Researchers with Meta said that they don’t have any visibility into whether the unnamed chat app sent by attackers contained malicious code, but they did assess that it may have been used for further social engineering on an attacker-controlled chat medium. The use of real Apple services could aid attackers in bypassing detection and helping them to appear more legitimate, they said.

“This meant that hackers didn't need to rely on exploits to deliver custom malware to targets and could utilize official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple TestFlight and tricked them into installing their chat application,” according to Meta in its Quarterly Adversarial Threat Report, released Thursday.

The Bitter APT group, which has been active since 2013, has previously targeted the energy, engineering and government sectors with RATs that were spread via spear-phishing emails or by the exploitation of known flaws. In 2021, for instance, researchers found the group exploiting a zero-day privilege escalation flaw (CVE-2021-1732) in the Windows 10 operating system. In this most recent campaign, the attackers set up social media accounts pretending to be journalists or activists and persuading targets to click on malicious links or download malware. Researchers noted that the group “typically invested time and effort in establishing connections with its targets through various channels, including email.”

TestFlight, currently owned by Apple, is only offered to developers within the iOS Developer Program, who can use it to test iOS, iPadOS, watchOS and tvOS apps before they are released to the App Store. The service has previously been abused by attackers, with Sophos researchers in March highlighting an extension of the CryptoRom campaign where attackers targeted iPhone users by deploying fake apps via TestFlight in order to swindle victims out of bitcoin. According to Sophos researchers, attackers abused the service in order to slip by the App Store’s security screening. Up to 10,000 people can be invited to test apps via email or by sharing a public link, and up to 100 testers can support smaller internal applications; and while TestFlight apps shared via public web links must undergo a review of code builds by the App Store, the smaller email-based distribution approach does not require such a security review by the App Store, they said.

Meta took down the accounts linked to these attacks, blocked their domain infrastructure from being shared on its social media services and notified targeted victims. Meta said it also has notified Apple about attackers leveraging TestFlight, but does not have further insight into any subsequent steps that Apple took after it was notified. Apple did not respond to a request for comment.

The company found Bitter APT also using a variety of other tactics to target victims with malware, leveraging a mix of link-shortening services, compromised websites and third-party hosting providers. In one case, researchers found the APT using a new custom Android malware family, which they called Dracarys. In a technique similar to many other Android malware families, Dracarys abused Android operating system accessibility services - a legitimate feature that grants apps certain permissions in order to help users with disabilities - in order to access sensitive data like text messages.

“Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,” according to Meta. “While the malware functionality is fairly standard, as of this writing, malware and its supporting infrastructure has not been detected by existing public anti-virus systems.”

Meta also uncovered a campaign by the Pakistan-linked APT36 targeting military personnel, government officials and human rights organization employees in Afghanistan, India, Pakistan, UAE and Saudi Arabia. The attackers posed as recruiters for both legitimate and fake companies as well as military personnel in order to target victims, and shared malicious links to attacker-controlled sites where they hosted malware. In several cases the malware used was XploitSPY, a commodity Android malware available on GitHub. Researchers said APT36’s campaign points to a broader trend of espionage groups using low-cost, off-the-shelf malicious tooling, rather than investing in developing their own tooling.

“This is notable for two reasons,” Nathaniel Gleicher, head of Security Policy with Meta said on a Thursday press call. “First, it democratizes access to these tools. More bad actors can use them, more bad actors will engage in cyber espionage, the barrier to entry is lower. Second, because these tools are commoditized - there are many, many off-the-shelf malware systems that someone can leverage - it means sophisticated threat actors can hide in the noise, making it harder to tell who is doing what and why.”

Both campaigns were uncovered as part of Meta’s efforts to remove malicious and inauthentic behavior from its platforms, with the company regularly cracking down on disinformation and cyber espionage operations, such as malicious activity by two Iranian threat groups that was disclosed in April.