Emergency iOS Update Patches Zero Days Used by Government Spyware

Apple rushed an emergency iOS update that patches three zero days being exploited in spyware sold to oppressive governments to monitor human rights activists and journalists.

Apple rushed an emergency iOS update today after the discovery of three zero-day vulnerabilities used by governments to spy on the activities of human rights activists and journalists.

The zero days, called Trident, allow an attacker to take complete control of an iPhone or iPad with just one click. Trident’s three separate zero-days create an attack chain that can compromise even Apple’s latest model iOS devices.

The zero days were privately disclosed to Apple by Citizen Lab, which is based at the Munk School of Global Affairs at the University of Toronto, and by mobile security company Lookout. Users are urged to update iOS devices to version 9.3.5.

“This is a serious vulnerability. It is designed to work silently and remotely so that all a user has to do is click a link and the exploits happen, and the device becomes jailbroken and the malware is installed,” said Andrew Blaich a security researcher at Lookout. “The user has no indication that anything has gone wrong on their device.”

The zero-days were sold by a controversial software company in Israel called the NSO Group, according to Citizen Lab. That company brands its surveillance mobile spyware as Pegasus, and sells it to governments and third parties who use it to spy on what they consider high-value targets, Citizen Lab said.

Citizen Lab was notified of Pegasus on Aug. 10 by Ahmed Mansoor, a human rights activist from the United Arab Emirates, who contacted the organization about a strange text message sent to his iPhone from an unrecognized phone number.

The message contained a link to an unknown website and was accompanied by a message that urged him to click a link to learn “new secrets” about detainees tortured in UAE jails. Instead of clicking the link, Mansoor forwarded the link to Citizen Lab. Bill Marczak and John Scott-Railton, senior researchers at Citizen Lab, recognized the link as connected to a network of domains that were believed to be part of an exploit infrastructure provided by the NSO Group.

“We immediately recognized this domain as part of a network of previous attacks we had looked at,” said Scott-Railton. “Hoping the network was still live and ready to serve and exploit, we visited it on an iPhone and we were able to get a successful infection.”

Citizen Lab was not able to determine the extent of past or present infections with Pegasus. However, it was able to determine that Mansoor was not the only one infected; Mexican journalist Rafael Cabrera had also been targeted. Citizen Lab published a report on Thursday outlining its discovery.

“This shows that some governments are willing to spend huge amounts of money to get into the minds and private communications of people who are in this sort of position,” said Scott-Railton in an interview with Threatpost. “This research shows the power of independent organizations like Citizen Lab doing work with dissidents and other groups that don’t have the resources and money to pay for enterprise-grade security. Just because they can’t defend themselves against it, doesn’t mean they won’t be targets of sophisticated malware. Going forward we expect so see more attacks of this type,” he said.

Lookout said Pegasus is the most sophisticated attack it has seen on any endpoint. According to a Lookout report:

“Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. It steals the victim’s contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device.”

According to a technical analysis of the malware by Lookout, the first zero day (CVE-2016-4655), was a memory corruption vulnerability in Apple’s mobile web browser WebKit.

Courtesy of Lookout

Image: Courtesy Lookout

The second (CVE-2016-4656) is a kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the kernel memory, according to Lookout. The third (CVE-2016-4657) is a kernel memory corruption that leads to the jailbreaking of the device. Lookout said these are 32- and 64-bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and, in this case, install surveillance software.

“The attack sequence begins with a simple phishing scheme: send a text (or Twitter or other type of) message with a benign-looking URL, user clicks on link, open web browser, load page, exploit a browser or operating system vulnerability, install software to gather information and to ensure that the software stays installed on the device (persistence),” wrote Lookout.

The Pegasus spyware can spy on phone calls, call logs, SMS messages and can turn on the phone’s microphone, speaker and camera. “Access to this content could be used to gain further access into other accounts owned by the target, such as banking, email, and other services he/she may use on or off the device,” Lookout wrote.

Lookout’s Blaich said he believes variants of Trident have been in use for years going back to iOS 7 released in 2013.

“NSO Group reportedly has hundreds of employees and makes millions of dollars in annual revenue, effectively as a cyber arms dealer, from the sale of its sophisticated mobile attack software. NSO is only one example of this type of cyber mercenary: we know that it is not the only one,” wrote Lookout.

Suggested articles