iPhone spy tool
Keleis Andre 5 months ago

Hackers from the government were caught using an unprecedented iPhone spy tool

A strange text message from an unknown number was received on Ahmed Mansoor's iPhone on the morning of August 10 by Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates. He did not recognize the number. 

Government hackers were caught using an iPhone espionage program

Ahmed Mansoor, a 46-year-old human rights activist from the UAE, received an unusual text message from an unknown number on his iPhone on August 10. He didn't know the number.

 

A strange text message from an unknown number was received on Ahmed Mansoor's iPhone on the morning of August 10 by Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates. He did not recognize the number. 

"New secrets about the torture of Emiratis in state prisons," read the enticing message, which was sent along with a link to further investigate. 


Mansoor, who had previously been a victim of government hackers who used commercial spyware products from FinFisher and Hacking Team, was suspicious and did not click on the link provided by the government. His message was instead delivered to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the Munk School of Global Affairs at the University of Toronto. Marczak is the recipient of the message. 


As it turned out, the message wasn't exactly what it appeared to be at first glance. According to new joint reports released on Thursday by Citizen Lab and mobile security company Lookout, the link did not lead to any secrets, but rather to a sophisticated piece of malware that exploited three different unknown vulnerabilities in Apple's iOS operating system, which would have allowed the attackers to take complete control of Mansoor's iPhone. 

The researchers said it's one of the most sophisticated pieces of cyberespionage software they've ever seen. 

This is the first time that such an attack has been discovered in the wild by any means. Until this month, no one had ever heard of an attempt to infect an iPhone with spyware by exploiting three unknown bugs, also known as zero-days. An attack of this nature, which is essentially a remote jailbreak of the iPhone, can be worth as much as a million dollars in terms of tools and technology. As soon as the researchers notified Apple, the company worked quickly to resolve the issues, which were resolved in an update released on Thursday. 


The question now is, who was behind the attack and what tools were used to carry it out successfully? 

Lookout's vice president of research, Mike Murray, described the company as "basically a cyber arms dealer," and it appears to have supplied the spyware and zero-day exploits to the hackers who targeted Mansoor. 

The researchers at Citizen Lab and Lookout were impressed by this brand-new type of malware that had never been seen before. 


We quickly realized that we were staring at something that had never been seen in the wild by anyone else before. To jailbreak an iPhone in a single step, all it takes is a click on a link, "Murray spoke with Motherboard about the situation. The researchers said it's one of the most sophisticated pieces of cyberespionage software they've ever seen. 

Despite the fact that it has never been proven that its tools have been used, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations since its founding in 2010. The company asserts that its products are completely undetectable, similar to a "ghost," when used. The company has been so secretive about its products that it has never had a website and has rarely given interviews or provided any other comments to the press. However, some information has leaked out, including a $120 million investment by a venture capital firm based in the United States in 2014 and a subsequent reported valuation of $1 billion. 

The malware developed by NSO, which the company has codenamed "Pegasus," is designed to infiltrate an iPhone invisibly and then steal and intercept all data contained within it, as well as any communication passing through it, according to the company. 


This app basically takes over your phone, intercepting every call and text message as well as stealing all of your emails, contacts, and FaceTime calls. It also steals your contacts and FaceTime calls. It also essentially backdoors every communication mechanism you have on your phone, including voicemail, "Murray went into detail. "It steals everything from the Gmail app, including all of the Facebook messages, all of the Facebook information, your Facebook contacts, and everything from Skype, WhatsApp, Viber, WeChat, Telegram, and any other messaging app you can think of." 

According to leaked NSO marketing materials, the type of data that Pegasus is capable of capturing

Murray and his colleagues at Lookout worked with Marczak and John Scott-Railton of Citizen Lab, who were the first to detect the malware, to decipher it and analyze it. As a result, the researchers infected their own iPhone with Pegasus after clicking on the link Mansoor provided. This allowed the researchers to see exactly what the malware was intended to do. 

Neither this attack on Mansoor nor a similar one that Citizen Lab was able to trace back to an unnamed journalist in Mexico demonstrate that the well-known Hacking Team and FinFisher are the only players in a growing industry of private companies that provide hacking services to governments, according to Citizen Lab. It also demonstrates that the customers of those companies, which are frequently authoritarian regimes with a documented history of human rights abuses and the targeting of dissidents and activists, are not afraid to use them, no matter what the consequences are. 

According to Railton, "this demonstrates the incredible power of the voices of journalists and activists who draw attention to this type of extremely expensive spyware." 



At the end of the day, this could be a portent of things to come. 


Marczak explained that the people who are being targeted by these texts today—dissidents and activists—are "sort of on the frontlines of what is going to happen to all of us tomorrow," and that they "are sort of the canaries in the coal mine." "The threats that they are currently facing are threats that, in all likelihood, ordinary users will face in the future." 

According to a prepared statement, a spokesperson for NSO declined to respond to any specific questions about the report, stating that "the company has no knowledge of and cannot confirm the specific cases mentioned in your inquiry."



How did NSO get apprehended? 


In May of this year, Citizen Lab revealed the existence of a new, sophisticated hacking group that they named Stealth Falcon. However, although the researchers were unable to confirm it, they speculated that Stealth Falcon had a connection to the UAE government and had targeted dissidents both inside and outside of the country. 

As part of its investigation into Stealth Falcon, Citizen Lab was able to map large portions of the group's infrastructure, including the servers and domains that Stealth Falcon used to steal data and siphon it away from its victims during its hacking campaigns, according to the organization. However, the researchers were unable to locate any actual samples of the malware that the hackers were employing. That all changed on August 10, when Mansoor sent Marczak the suspicious text message that he had received earlier. 

Mansoor received two suspicious text messages, both of which contained links to the NSO Group's spyware, which he investigated. (Photo courtesy of Ahmed Mansoor) 


After following a convoluted online trail, Marczak and Scott-Railton were able to look into the matter after following a convoluted online trail that led them to the conclusion that the spyware communicated with a server and an IP address that they had previously identified as being part of Stealth Falcon's infrastructure. When they investigated further, they discovered that a server registered to an NSO employee was pointing to the same IP address. 

Furthermore, inside the actual malware, the malware's developers left a revealing string of code: "PegasusProtocol," which appears to be a reference to NSO's spyware codename, Pegasus, which was discovered in the wild. Even more domains associated with NSO or its customers' infrastructure were discovered by the researchers, who noted that some of them appeared to be designed to impersonate humanitarian organizations such as the Red Cross and news media organizations, which they described as "alarmingly." 


For the first time, the researchers were able to get a clear picture of the characteristics of the malware used by the company in question. Because of the almost legendary aura surrounding NSO since its founding in 2010, as well as unconfirmed rumors about its powers, the organization has remained largely unknown to the general public. Despite the fact that the company's executives have rarely spoken to the press, the few articles that have been written about it are full of vague descriptions and unconfirmed rumors. 


In 2013, NSO co-founder Omri Lavie told Defense News, a military trade publication, that the organization was "a complete ghost." 


According to a brief profile published in The Wall Street Journal in 2014, NSO had sold its product to the Mexican government and even piqued the interest of the Central Intelligence Agency (CIA). According to the article, the company's spyware was sold all around the world. 

Now that its spyware has been discovered and its zero-days have been destroyed, NSO may be unable to claim to be a ghost any longer, though the company may still have other zero-days and tools up its sleeve. As a result, the researchers do not expect their reports, combined with Apple's patch, to put a significant dent in the activities of NSO for an extended period of time. 

By patching these vulnerabilities, Murray stated that "we are not going to put NSO out of business." 

Furthermore, the malware is programmed with settings that date back to iOS 7, indicating that NSO has most likely been able to hack iPhone devices since the iPhone 5 was released. 

The spokesperson for NSO, Zamir Dahbash, stated in a statement that the company's "mission is to contribute to making the world a safer place by providing authorized governments with technology that assists them in combating terrorism and criminal activity." 


"The company sells only to authorized governmental agencies and adheres strictly to export control laws and regulations, which it fully complies with." More significantly still, the company does not operate any of its systems; rather, it is a technology company, "the statement went on to say. "The agreements that the company has signed with its customers stipulate that the products of the company may only be used in a legal manner." To be more specific, the products may only be used for the purposes of crime prevention and investigation.



A Response from Apple

As soon as they learned about the zero-day vulnerabilities, the researchers at Citizen Lab and Lookout contacted Apple to inform them of their findings, which they named Trident. Apple took approximately ten days to develop and release a patch for the problem. The patch is now available as part of the iOS 9.3.5 update, which should be downloaded and installed by all iPhone users as soon as possible. 

An Apple spokesperson said in a statement that the company was made aware of the vulnerability and that it was immediately fixed with iOS 9.3.5. She declined to provide any additional information. 

Trail of Bits CEO Dan Guido, who works extensively with Apple systems and has seen a number of these attacks in the wild, says that these types of attacks are to be expected, despite the fact that they are rarely seen in public. In the end, despite the three zero-days that have been discovered in the wild, Guido still believes that the iPhone is a much safer choice than, for example, Android. 


Apple has raised the cost of exploiting their devices to a level that is higher than that of any other vendor on the market today. Nonetheless, this highlights the need for improved compromise detection for iOS, "Guido said, adding that, in any case, "iOS remains the most secure consumer device available, despite the recent developments." 

It takes a paranoid mentality, as well as the assistance of friends at Citizen Lab, to determine whether or not you are infected with malware, he continued. 



Other people who have been victimized

The researchers have not been able to locate any additional Pegasus spyware samples at this time. However, while searching for links and domains that were similar to those associated with the attack on Mansoor and the infrastructure of a hacking group they dubbed Stealth Falcon, they came across a tweet that appeared to be directed at unidentified Kenyan victims, as well as an attack on Mexican investigative journalist Rafael Cabrera, which they investigated further. 

Earlier this year, Cabrera was the target of NSO malware for the first time, and he was targeted again as recently as May of this year. In the most recent round of attacks, hackers attempted to entice him to click on a series of messages that included promises of government corruption revelations, a $500 phone bill charge, and even a link to an adult video that would prove his wife had cheated on him. He claimed that he did not click on any of the links sent to him by the hackers. 

Cabrera told Motherboard that the goal was clear: "They wanted me to click on it."It's fair to say they were in a state of desperation." 


According to Cabrera, he did not want to speculate on who the hackers were, saying that it could have been the government or someone else. Despite the fact that Mexico is among the suspected customers of NSO, it is unclear whether the country's police or intelligence agencies are actually using the company's malware. Mexico was also the largest customer of Hacking Team in the world, and some of its agencies were accused of using the spyware to target journalists and dissidents rather than criminals, rather than criminals themselves. 

Cabrera and Mansoor were not hacked in the end because they were well-versed in computer security and did not fall prey to the hackers' traps. In a way, they were fortunate. Because they had previously been the target of government hacking attempts, they were more vigilant than usual. 


However, as Marczak pointed out, their experiences could serve as yet another foreboding sign of things to come. Companies such as Hacking Team and NSO will continue to provide hacking tools as long as governments demand them and have the financial resources to pay for them. In the past, Citizen Lab has documented a number of attacks against dissidents, journalists, and human rights workers by governments around the world, using spyware that is similar to that produced by the National Security Organization. Even after publicizing and warning about these attacks, the malware hunters at Citizen Lab continue to uncover new attacks, some of which are carried out by the same governments and even targeted at the same individuals or organizations. 

In Marczak's opinion, "the incentives simply aren't there for these companies like NSO to prevent these tools from falling into the hands of serial abusers like the UAE." 


The emergence of a new spyware superpower is also being heralded as a result of this development. Because of the damaging but not fatal hacks on FinFisher and Hacking Team, which are still the most well-known and notorious spy technology vendors in the world today, NSO has the potential to grow. 

And if Mansoor had not clicked on the link he received on August 10th, all of these revelations would have remained in the shadows until now. 

The NSO Group has issued a statement in response to this story, which has been updated.

iPhone spy tool

How did NSO get apprehended?

1
139
Is teens' use of social media bad for their mental health?

Is teens' use of social media bad for their mental health?

1645391179.jpg
Keleis Andre
1 month ago
How to Find the Location of a Cell Phone for Free with the Cell Phone Number?

How to Find the Location of a Cell Phone for Free with the Cell Phone...

1645391179.jpg
Keleis Andre
1 month ago
Tips for Keeping Your Child Safe on the Fourth of July 

Tips for Keeping Your Child Safe on the Fourth of July 

1645391179.jpg
Keleis Andre
5 months ago
How to test scanning for weaknesses on real machines

How to test scanning for weaknesses on real machines

1645391179.jpg
Keleis Andre
3 weeks ago
How to catch a cheating lover without getting your hands on his phone

How to catch a cheating lover without getting your hands on his phone

1645391179.jpg
Keleis Andre
4 months ago