Hacking Team

Hacking Team is a company that "sells offensive intrusion and surveillance capabilities to governments and law enforcement agencies", including iOS spyware tools. The iOS spyware tools appear designed for targeting/attacking specific people, not for broad surveillance of the public.

Remote Control System tool (requires jailbreak)
In June 2014, security researchers published details about Hacking Team's iOS spyware tool, discovered via reverse engineering it. This research got confirmed in July 2015 by a data breach that revealed Hacking Team's internal documentation and pricing for this tool and related tools. (This was big news because the documents also had evidence that Hacking Team sold these tools to repressive governments.)

The revealed "Remote Control System" documentation includes on page 7 a description of the iOS tool: it requires a jailbreak, it's compatible with iOS 4-8.1, and it provides monitoring of chat (Skype, WhatsApp, and Viber), location, contacts, and list of calls. It costs about $55,000, purchased in conjunction with supporting tools and services.

Context for that tool is that other spyware tools for jailbroken iOS also exist - for example, there is a MSpy spyware tool distributed via the BigBoss repository, which consumers can buy for $10-15 dollars a month. With MSpy and other consumer-level spyware tools (there are several for iOS), you have to physically arrange for your target's phone to be jailbroken and then somebody has to manually install the tool.

Hacking Team tools for jailbreaking devices
Hacking Team's spyware tool also relies on a device being jailbroken with a publicly-available jailbreak tool (or perhaps a custom tool built on top of a publicly-available jailbreak). Using public tools means that they have some of the same limitations as consumers: jailbreaking iOS 6-8 requires that the device passcode is disabled during the jailbreaking process, and recent jailbreaks also require that Find My iPhone is turned off.

Hacking Team has other pieces of malware for OS X and iOS that they may be able to combine to ease the process of jailbreaking the device and installing the spyware, probably with the help of their expertise in spearphishing attacks and other kinds of social engineering attacks. This Wired article about last year's security research explains a way that could happen:

"'The iOS spy module works only on jailbroken iPhones, but agents can simply run a jailbreaking tool and then install the spyware. The only thing protecting a user from a surreptitious jailbreak is enabling a password on the device. But if the device is connected to a computer infected with Da Vinci or Galileo software and the user unlocks the device with a password, the malware on the computer can surreptitiously jailbreak the phone to install the spy tool.'"

Will Strafach (User:ChronicDev) said on Twitter that there is no evidence for Hacking Team being able to jailbreak without physical access:
 * "condensed summary of avoiding HackingTeam malware: 1. always use latest iOS version 2. if you jailbreak, don't use AFC2, set strong SSH pw"
 * "the funny part is, jailbreaking neuters other aspects of security that someone like HackingTeam could take advantage of. but they do not."
 * "reason HT does not take advantage of smarter tricks is that they do not target jailbreakers, rather, they use jailbreaks on vuln devices"
 * "this is all quite easy to find in their docs, it baffles me to see "don't jailbreak" as the solution. it is not _at all_ the solution."
 * "they are very clear that their client is meant to jailbreak the device of the victim. meaning they need physical access to your iOS device."
 * "some say HackingTeam could use malware to infect your computer to silently deploy the jailbreak, but there is zero proof of that in dump."

i0n1c also said on Twitter that physical access seems required:
 * "Every time a HT / FF leak is in the press people "re-discover" that their iOS implants require physical access to apply a jailbreak first."
 * "yes it is long known that public jailbreaks get used to infect iOS devices instead of 0-day jailbreaks by HT and friends."
 * "it seems iOS 0-day is too expensive (or unreachable) so they repurpose public JB. e.g. patch to install other packages."

Newsstand keylogger tool (doesn't require jailbreak)
This MacWorld article reports that Hacking Team also has spyware that doesn't require a jailbreak, via misuse of developer certificates:

"'Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software.'"

Discussion
More commentary from Will Strafach (User:ChronicDev):
 * "the HackingTeam iOS malware is far more lame than it could have been. they don't even seem to know they could bypass Location permissions."
 * "I am not sure why people are laughing at HackingTeam statement of bad actors now being able to use their spy malware. they are not wrong."
 * infecting an already jail broken device silently is apparently worth $18mm. wow. https://wikileaks.org/hackingteam/emails/emailid/21089"
 * "apparently HackingTeam brought up using greenpois0n to infect devices when we open sourced it. looks like they couldn't even implement it."