Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Dangerous, targeted iPhone attack nullified by Apple with iOS 9.3.5 patch

Last updated

More details have emerged about the need for the iOS 9.3.5 patch, which looks to have terminated a trio of exploits capable of a remote jailbreak and mass exfiltration of data from a target's iPhone, including device and account passwords.

A chain of events that started with a targeted attack on an activist's phone has led to the discovery of the assault package, delivered through a link embedded in a SMS message. According to Motherboard, unwary recipients who clicked on the link would be subject to a silent, three-pronged attack that would result in every contact in all of the target's communication data pilfered by the attackers.

The company blamed for the spyware and iOS malware delivery vector appears to be Israeli company NSO. The package, named "Pegasus" was solely crafted to infect an iPhone and exfiltrate all of the target's communications to a remote monitor.

The target of the attack was suspicious, and forwarded the information to digital rights monitor Citizen Lab, as well as mobile security company Lookout.

"The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."

"It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram— you name it."

The malware performs multiple tasks remotely with a single click. After the target clicks on the link with the "Pegasus" package, the iPhone is jailbroken, and the monitoring and data theft suites are installed.

Three zero-day vulnerabilities were discovered as a result of the misfired attack. The first is a vulnerability in Safari WebKit that allows the attacker to compromise the device if a user clicks on a link.

The WebKit flaw, coupled with an information leak in the Kernel problem, and an issue where Kernel memory corruption could lead to a jailbreak allowed for the entire attack method to be implemented against the discoverer, and one additional activist in Mexico.

Lookout claims that the payload delivered by "Pegasus" allows the attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, amongst others.

Leaked NSO materials demonstrate what material can be stolen from a compromised phone. Leaked NSO materials demonstrate what material can be stolen from a compromised phone.

Besides just stealing stored data, the malware also constantly updates GPS information and sends it to the command and control server, loads the iOS Keychain and dumps all the victim's data, steals credentials from every wi-fi network the user has connected to, grabs stored Apple router passwords, intercepts phone calls in real-time, and intercepts WhatsApp messages and calls unencrypted.

A compromised phone can also be used as a remotely actuated audio and video recorder.

The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well. It appears that the attacker must have some knowledge of platform that the targeted user utilizes to aim the attack, and develop a server-side payload delivery and data receptacle suitable to the device.

Based on some indicators in the code, the spyware's iOS variant is capable of infecting users on iOS 7 or above. Successive updates to the devices afflicted by the malware appear to have no effect on existing malware installations.

Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15. Today's iOS 9.3.5 patch blocks the attack. Despite the severity of the attack, Lookout believes the vast majority of users will not be impacted by Pegasus at all given the "sophisticated, targeted nature" of the attack.

"Dissidents, activists — these are kind of the people on the front-lines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine," Citizen Lab researcher Bill Marczak said. "The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."



36 Comments

Soli 9 Years · 9981 comments

I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

  • https://en.wikipedia.org/wiki/JailbreakMe

Mike Wuerthele 8 Years · 6906 comments

The JailbreakMe was just a jailbreak, and had to be executed willingly by the user, and wasn't silent.

It didn't take two more steps and compromise all your passwords and data on the phone at the same time.

jdgarvin50 13 Years · 51 comments

Soli said:
I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

  • https://en.wikipedia.org/wiki/JailbreakMe

Well, it's a bit different than me wanting to jailbreak my own device and going to what I think is a legitimate site to accomplish that. I'm partner to resulting crime if it's not a legitimate host to JailbreakMe, or if the app has been compromised. This is different in that people are not asking to have their device jailbroken at all.

Soli 9 Years · 9981 comments

The JailbreakMe was just a jailbreak, and had to be executed willingly by the user, and wasn't silent.

I don't understand what point you're trying to make.

It worked by exploiting flaws down to the kernel, right? And it could have been used by the creator for nefarious purposes if they had chosen that route, like sending it as an SMS for someone to open, right? And the Cydia store that was installed had an installation that would fix the PDF exploit, to protect that user from any nefarious access with their exploit, right? So if you could access iOS 1.x–4.x, well before the device was encrypted, why are you suggesting it was impossible for JailbreakMe to steal data?

Soli 9 Years · 9981 comments

Soli said:
I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

  • https://en.wikipedia.org/wiki/JailbreakMe
Well, it's a bit different than me wanting to jailbreak my own device and going to what I think is a legitimate site to accomplish that. I'm partner to resulting crime if it's not a legitimate host to JailbreakMe, or if the app has been compromised. This is different in that people are not asking to have their device jailbroken at all.

You're comparing the intent of the hacker which is irrelevant. I'm wondering what the technical difference that makes The Verge state, "It's the iPhone's first remote jailbreak exploit."