Security researchers at Google have taken a deep dive into an NSO Group zero-click iMessage, revealing the sinister sophistication of the company's attacks.
NSO Group's spyware rival those of nation states
According to Google's Project Zero, the ForcedEntry zero-click exploit -- which has been used to target activists and journalists -- is "one of the most technically sophisticated exploits we've ever seen." It also illustrates that NSO Group's capabilities rival those of nation-state actors.
Apple patched the zero-click exploit, designated CVE-2021-30860, in mid-September 2021 in iOS 14.8.
The exploit went beyond so-called one-clicks that rely on a target clicking a link. Project Zero notes that the initial entry point for the Pegasus software developed by NSO Group is iMessage Apple's encrypted messaging platform. "This means that a victim can be targeted just using their phone number or AppleID username," the researchers wrote.
Once a message was sent to a user, the exploit relied on vulnerabilities in the ways that iMessage accepted and decoded files like GIF images. From there, it tricked the platform into opening malicious PDFs without any interaction from a user.
More specifically, the exact vulnerability existed in a legacy compression tool used to recognize text in images. Once exploited, however, it allowed NSO Group customers to completely take over an iPhone.
Signs of the attack's sophistication went beyond the initial exploitation. According to Project Zero, ForcedEntry even set up its own virtualized command-and-control environment instead of communicating directly with a server. That made it even harder to detect.
NSO Group-made attacks like ForcedEntry have been used by governments to target journalists, activists, and political dissidents on multiple occasions. In at least one case, NSO Group spyware was used in a targeted attack of U.S. State Department officials.
Apple sued NSO Group back in November, seeking to hold the group accountable for its surveillance of iPhone users. In December, reports indicated that NSO Group was considering killing its Pegasus spyware under the pressure of lawsuits and criticism.