Owners of Apple’s mobile devices are advised to upgrade to iOS version 9.3.5 as soon as possible, as it fixes three zero-day vulnerabilities actively exploited in the wild.
The update, released on Thursday, comes in the wake of a discovery made by researchers from University of Toronto’s Citizen Lab and security firm Lookout: someone has attempted to compromise the iPhone of UAE-based human rights activist Ahmed Mansoor through the use of a lawful surveillance kit made by Israel-based firm NSO Group.
The kit is named Pagasus, and has tried to leverage three concatenated iOS zero-day exploits in order to silently jailbreak the target’s phone and install spyware on it, thus allowing the attackers to track a victim’s movements, steal messages from end-to-end encrypted chat clients, activate the phone’s cameras and microphone, listen in on calls, copy the user’s contacts, and so on.
The zero day vulnerabilities (CVE-2016-4657, CVE-2016-4655, and CVE-2016-4656), dubbed collectively Trident, made for a perfect attack, and it all started with a spoofed SMS containing a link to the malicious website that hosted the initial exploit.
Luckily for Mansoor, he was suspicious and didn’t follow the link. Instead, he forwarded the message to Citizen Lab researchers to check it out. Once they realized that they had iOS zero-days on their hands, they contacted Apple, shared their findings, and helped them with the development of the fixes.
The danger to average users is currently minimal.
“Given the high price tag associated with these attacks — Zerodium paid $1 million for an iOS vulnerability last year — we believe this kind of software is very targeted, meaning the purchaser is likely to be both well-funded and specifically motivated,” Mike Murray, Lookout VP of Security Research and Response, noted.
“The going price for Pegasus was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.”
Nevertheless, as more details about the zero-day flaws become known, other threat actors might try to create their own exploits and use them indiscriminately, so all who can are advised to update their iOS devices.
“Remarkably, this case marks the third commercial ‘lawful intercept’ spyware suite employed in attempts to compromise Mansoor,” Citizen Lab researchers noted. “In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System.”
They believe that the actor behind the latest targeted attack agains the activist is the United Arab Emirates’ intelligence agency, and explain their reasoning in this report, which also contains a technical analysis of the attack, and details about Pegasus, NSO Group, and its mobile attack infrastructure.