“Legal” Spyware: How Pegasus Uses “Zero-Click” iOS Exploits to Spy on Targets
A new report released yesterday gave us an alarming look into how the spyware sold by the Israeli surveillance company NSO Group was involved in targeted attacks against lawyers, journalists, opposition politicians, and activists across the world by different authoritarian governments. While NSO Group has been at the center of many similar reports in the past, the extent to which its Pegasus spyware enables unlawful surveillance and human rights abuses wasn't fully known.
The firm continues to claim Pegasus is only used to "investigate terrorism and crime" without leaving a trace behind. However, the Forensic Methodology Report released over the weekend by over 17 media organizations in 10 countries with the technical support of Amnesty International’s Security Lab that carried out an in-depth forensic analysis of several devices from human rights defenders and journalists worldwide proves that that is not true.
Pegasus malware enables attackers (paying governments in most cases) to infect iPhones and Android devices and extract messages, photos, emails, read contents of encrypted communication apps like Signal, and even record calls and secretly activate microphones. At least 50,000 phone numbers were identified to have been targeted by NSO since 2016 as "people of interest" by NSO's clients.
The list includes "hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers," the Guardian's report added. The list also includes numbers of over 180 journalists, including that of a freelance Mexican reporter, Cecilio Pineda Birto, who was murdered after his killers were able to locate him at a carwash. His phone was never recovered so forensic analysis isn't possible to fully confirm if his phone was infected with Pegasus.
Forensics analysis of a small number of phones whose numbers appeared on the leaked list showed more than half had traces of Pegasus.
iOS 14.6 running iPhone 12 Pro Max hacked with "zero-click" iMessage exploit to run Pegasus spyware
Focusing on Android and iOS smartphones, the forensic records revealed zero-click attacks that require zero interaction from the target. One of the most alarming findings of this report is that even the most latest iPhones running the latest iOS versions were successfully exploited.
"Most recently, a successful 'zero-click' attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021," Paris-based Forbidden Stories and Amnesty International's Forensic Methodology Report that was peer-reviewed by the Citizen Lab says.
The forensic analysis has found evidence that NSO has been exploiting iMessage vulnerabilities to penetrate even the latest devices running the latest version of iOS. While Apple continues to say that iPhone is the most secure consumer smartphone on the market, zero-click exploits aren't helping the consumer confidence in the product.
While in most cases, records are purged by the malware or cleaned after a reboot, one of the traces left behind by Pegasus in one particular case was suspicious redirects recorded in Safari’s browsing history, including a redirection to free247downloads[.]com domain. These redirections don't just happen when the target is using the browser but also when using other apps.
In one case, when the target was previewing a link shared in his Twitter timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView, and a redirect occurred.
However, browsing redirections aren't the only indicators of compromise, as the report has revealed various ways to detect possible traces left behind Pegasus.
Malicious links are no longer the attack du jour - evidence of multiple successful zero-click infections in 2021
SMS messages delivering malicious links were the choice tactic of NSO Group to deliver its spyware a few years back. However, that seems to have changed to network injection as an "effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators."
As for non-local targets, iOS vulnerabilities in iMessage and FaceTime are being exploited to attack foreign clients. In one case, Apple Music was also leveraged to deliver Pegasus.
As of right now, Amnesty Intl believes that "Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021)." AI has also seen a compromised iPhone XR (June 16, 2021) of an Indian journalist running iOS 14.6, which is the latest version, and an iPhone X (June 14, 2021) of an activist, also running iOS 14.6.
Pegasus has started to hide its traces by avoiding persistence on iOS
Forensic analysis also showed that the spyware has now started to manipulate system databases to hide its traces and impede any research that may look into potential links between a victim and NSO's spyware. In one such effort, the Pegasus spyware is no longer maintaining persistence on iOS devices.
While that means removal after reboots, it also shows the confidence NSO has in its attacking capabilities to repeatedly target the same client with success.
Because the 0-clicks they're using appear to be quite reliable, the lack of traditional "persistence" is a feature, not a drawback of the spyware. It makes the spyware more nimble, and prevents recovery of the "good stuff" (i.e., the spyware and exploits) from forensic analysis
— Bill Marczak (@billmarczak) July 18, 2021
Apple has today released iOS 14.7, likely fixing some of the vulnerabilities in iMessage, FaceTime, WebKit, and other corners of the OS. However, there are some fundamental flaws in how user security is currently being discounted by the world's biggest tech companies.
One former Apple employee told Washington Post that "it was difficult to communicate with security researchers who reported bugs in Apple products because the company’s marketing department got in the way."
“Marketing could veto everything,” the person said. “We had a whole bunch of canned replies we would use over and over again. It was incredibly annoying and slowed everything down."
Outside researchers have also been outspoken about the lack of support from Apple as the company restricts access to iOS, making any investigations even more difficult. They have also complained about Apple's lack of communication and smaller bug bounty rewards when compared to other companies.
The company has also significantly lacked in tracking the work of sophisticated attackers like the NSO Group, who always seem to be ahead of even the newest iPhones and software versions introduced by Apple.
"For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market," Apple said today in response to these revelations. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals." The company insists, however, that it's "tirelessly" working to defend all of its customers.
- Amnesty International has published its extensive technical research along with the "Mobile Verification Toolkit" to help identify potential traces of compromise. All indicators of compromise are available on its GitHub. Further reporting by Guardian.