❤ REPORT : active zero-click iMessage exploit in the wild targeting iPhones running the latest software, used against activists and journalists
An explosive report from Amnesty International interpreted device logs to reveal the scope of targeted malware attacks in active use targeting Android and iPhone devices, since July 2014 and as recently as July 2021. Exploited devices can secretly transmit messages and photos stored on the phone, as well as record phone calls and secretly record from the microphone. The attack is sold by Israeli firm NSO Group as ‘Pegasus’.
Whilst the company claims to only sell the spyware software for legit counterterrorism purposes, the report indicates it has actually been used to target human rights activists, lawyers and journalists around the world (as many have long suspected).
Perhaps most alarming for iPhone users, the findings show that there are active exploits against iPhones running the latest iOS 14.6 software, including ones that take advantage of a zero-click vulnerability in iMessage that can install the spyware without any user interaction.
Over the last few years, the Pegasus software has adapted as Apple fixed security bugs with iOS. However, each time, NSO Group has been able to find alternative security bugs to use instead. The lengthy report details several different variants of Pegasus that have been used in the wild.
The records indicate that, in 2019, a bug in Apple Photos allowed malicious actors to gain control of an iPhone perhaps via the iCloud Photo Stream service. After the exploit installs itself, crash reporting is disabled likely to prevent Apple from discovering the exploit too quickly by looking at submitted crash report logs.
Also in 2019, Amnesty says that an iMessage zero-click 0-day was widely used. It appears the hackers create special iCloud accounts to help deliver the infections. In 2020, Amnesty found evidence to suggest that the Apple Music app was now being used as an attack vector.
And fast forwarding to the present day, Amnesty believes Pegasus spyware is currently being delivered using a zero-click iMessage exploit that works against iPhone and iPad devices running iOS 14.6. The exploit also appeared to successfully work against iPhones running iOS 14.3 and iOS 14.4.
Apple significantly rewrote the internal framework that handles iMessage payloads as part of iOS 14, with a new BlastDoor subsystem, however clearly that has not fazed the intruders. It remains unknown whether iOS 14.7 — which will be released to the public this week — or iOS 15 — currently in developer beta — are susceptible to the same zero-click exploit. Perhaps what’s more scary is the fact that NSO Group seems more than able to find and deploy new exploits as soon as Apple patches the current holes, as shown by the five year history of evolving attack vectors reported by Amnesty.
Check out the Amnesty International post for a full detailed breakdown of all the evidence they have published.