The iOS 9.3.5 patch was released yesterday by Apple to fix what the company calls “important security issues”. According to reports from Lookout and Citizen Lab, these “issues” are three iOS zero-days used to spy on political dissidents all over the world.
The two security company think that the zero-days are a part of the Pegasus software suite. The suite was created by the Israel-based firm, NSO Group, and then sold to governments around the world which used it against targets of interest.
Even though Pegasus is referred to as a surveillance software developed for law enforcement agencies, it doesn’t differ from a spying software, available on the underground cyber marked and used by crooks for malicious purposes.
NSO`s Pegasus has been around for many years now, but more popular and powerful rivals have always overshadowed it. For instance, the HackingTeam which developed and sells the RCS surveillance package or the Gamma Group and its FinFisher product.
Apple released a fix yesterday to address Pegasus features that allowed it to spy on iOS users without them realizing. Powered by three zero-days, the features give crooks the opportunity to take over an iOS device by tricking users to load a malicious webpage.
When the zero-day exploit code is executed on the targeted device, the hacker would be able to use the Pegasus software for gaining complete control over Apple devices. They could overhear conversations via the mic, see where the user is located, exfiltrate data, follow IM conversations, etc., Lookout says.
“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile.”– explains the Lookout team.
Moreover, a deeper Pegasus analysis revealed a concerning discovery. Researchers have found traces of a kernel mapping table that has values that target previous iOS version, way back to iOS 7. This means that the spyware was active under the radar for years before finally being detected a month ago.
One of Pegasus`s main victims was Ahmed Mansoor. Mansoor is a human rights activist from the United Arab Emirates (UAE) and he was the one suspect something was wrong which led to the discovery of the three zero-days.
Mansoor is considered to the one of the most spied on activists in the world. As he had been previously targeted by both RSC spyware and FinFisher, it didn’t take him long to recognize a phishing lure sent to him via SMS, promising new details about torture practices in the UAE.
He immediately informed the Canadian investigative interdisciplinary laboratory, which specializes in political cyber-espionage, Citizen Lab. Citizen Lab included the Lookout company in the investigation to analyze the attack`s technical side. Lookout was the one to find the three zero-days and Citizen Lab managed to find the connection between them and the NSO Group`s Pegasus software.
Citizen Lab found out Pegasus`s export licenses for several governments. Then, Pegasus was linked to other attacks, including the one against a Mexican journalist who uncovered corruption by Mexico’s President, and a couple of attacks in Kenya, whose targets are unknown.
“While these spyware tools are developed in democracies, they continue to be sold to countries with notorious records of abusive targeting of human rights defenders.” – the Citizen Lab team says -“Such sales occur despite the existence of applicable export controls.”
