| Researchers August 25, 2016


August 25, 2016

Sophisticated, persistent mobile attack against high-value targets on iOS

By Citizen Lab, Lookout

Lookout PegasusPersistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.
Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.
All individuals should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Settings > General > About > Version. Lookout will send an alert to a customer’s phone any time a new update is available. Lookout’s products also detect and alert customers to this threat.
Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.
We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.
The overview
Ahmed Mansoor is an internationally recognized human rights defender and a Martin Ennals Award Laureate (sometimes referred to as a “Nobel prize for human rights”), based in the United Arab Emirates (UAE). On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.
This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.
Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya.
The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.
The Pegasus spyware
Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection. Lookout’s analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:
  1. CVE-2016-4655: Information leak in Kernel - A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
  2. CVE-2016-4656: Kernel Memory corruption leads to Jailbreak - 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
  3. CVE-2016-4657: Memory Corruption in Webkit - A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
In this case, the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.
We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.   
To learn more
Our reports provide in-depth information about the threat actor as well as their software and the vulnerabilities exploited — Citizen Lab has tracked the actor’s political exploits around the world, while Lookout has focused on the technical details of the malware from the beginning of the exploit chain to its use. Our reports include detailed analysis of the Trident iOS vulnerabilities that are patched in the 9.3.5 release from Apple, as well as the various components of the espionage software.  
Lookout customers: Read this document on how to tell if you’re impacted by this attack.
Think you've encountered a suspicious link such as the ones described above? Email support@lookout.com.
Research teams:
Citizen Lab: Bill Marczak and John Scott-Railton, Senior Fellows 
Lookout: Max Bazaliy, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, Staff Security Researchers, Mike Murray, VP of Security Research

Author

Citizen Lab,
Citizen Lab


Author

Lookout

Leave a comment

Submit


5 comments


Josie Smith says:

January 02, 2017 at 12:51 pm

I have persistent apps running. I can't update my phone, as it is grayed out..I can't click on it to disable or enable or update


Radar says:

September 10, 2016 at 12:49 pm

How is one to find out if they have been infected? Is there an anti-malware that can detect it and remove it completely?


Meghan Kelly says:

September 15, 2016 at 3:53 pm

Hi there, Lookout will detect the threat and alert you if you are impacted. If you have any further questions, feel free to reach out to our support team: support [at] lookout [dot] com


Gery says:

September 05, 2016 at 8:34 pm

Are these issues applicable to all previous versions of iOS? The 9.3.5 update is not available for older versions of iOS.. it's only available for iPhone 4S and above and iPad 2 and above. Does this mean older devices are still vulnerable?


Meghan Kelly says:

September 08, 2016 at 1:09 pm

Hi Gery, yes, previous versions of iOS are impacted by the Trident vulnerabilities, unfortunately. The sample Lookout acquired attacks 9.3.3 and works against 9.3.4. The code also contains attacks on all iOS versions from iOS 7 up to 9.3.4. If you have questions about patching older devices, please reach out directly to Apple's support team. Hope this helps!


Ramesh Chandran A says:

August 31, 2016 at 1:20 am

How this spyware get inside the smartphone ?


Meghan Kelly says:

September 02, 2016 at 1:24 pm

Hi Ramesh. The attacker uses a classic phishing technique. He or she sends a message, in Mansoor's case it was a text message, to the target victim's device. The message includes a malicious link, that when clicked, sets the attack in motion.


Paul jackson says:

August 28, 2016 at 2:23 am

Thank a lot lookout