A persistent and sophisticated malware targets all unpatched iOS devices

Upgrade your device to iOS 9.3.5, ASAP!


Citizen Lab and Lookout have discovered an active threat using three critical iOS zero-day vulnerabilities:

when exploited, creates an attack chain that subverts even Apple’s strong security environment.


The vulnerabilities

  • CVE-2016–4655: Memory Corruption in Webkit — A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
  • CVE-2016–4656: Information leak in Kernel — A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
  • CVE-2016–4657: Kernel Memory corruption leads to Jailbreak — 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.

Pegasus, a spyware from NSO Group


This attack is used in a spyware product called Pegasus, developed by an Israeli-based organization called NSO Group.
Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.

The attack sequence is a classic phishing scheme: receive text message, open web browser, load page, run a client script that exploits vulnerabilities and installs persistent software to gather information. 
This happens silently, such that victims do not know they’ve been compromised.

The software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others.

The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.

How to prevent?

Update to the latest version of iOS (9.3.5) immediately: you can check your iOS version from Settings > General > About > Version.


Resources

Full report from Lookout

https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf

Comments