Malware is rampant on the Google Play store and is something that Google is trying to get a handle on. Apple has much less of an issue with malware on its App Store because it forces a review process for every app that wants to be distributed on the app store. That doesn't mean that malware and nefarious apps can't make their way through.
Mobile security firm Lookout says that a developer has been able to abuse Apple-issued security certificates to bypass the App Store and target Apple devices.
The app hid as a carrier assistance app, and once it was installed, it has wide-ranging permissions that allow it to silently capture the compromised device contacts, audio recordings, photos, videos, and other information about the user. Most distressingly is that the nefarious app could be triggered remotely and listen in on conversations. The app was served via fake websites that claimed to be known cellular carriers in Italy and Turkmenistan, the maker of the app has been linked to the same people behind the Android app called Exodus developed by Connexxa. That app has been in use by Italian authorities according to reports.
The Exodus Android app had a larger feature set and expanded spying capability once an additional exploit was downloaded that gave root access to the device. At that point, the Android app had nearly complete access to device data, emails, cellular data, WiFi passwords and more. The fear is that the iOS app might be able to gain additional permissions in the same way.
According to Lookout, both the iOS and Android apps use the same backend infrastructure with the iOS app taking advantage of techniques like certificate pinning to make it hard to analyze the network traffic. One key difference between the two nefarious apps is that the Android version was downloadable via Google Play; the iOS version isn't widely distributed. However, since Connexxa signed the app with an enterprise certificate issued by Apple; the app can bypass Apple's security checks.