New evidence uncovered by Amnesty International and Forbidden Stories has revealed a massive wave of attacks by cyber surveillance company NSO Group’s customers on iPhones, potentially affecting thousands of Apple users worldwide. 

Deputy Director of Amnesty Tech Danna Ingleton says, "Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised."

According to Lookout Threat Lab, NSO develops Pegasus, a highly advanced mobile malware that infects iOS and Android devices and enables operators to extract specific GPS coordinates, messages, encrypted chats from apps like WhatsApp and Signal, photos and emails, record calls, and secretly turn on the microphone and camera. 

Amnesty International reports that NSO Group's spyware has been used to facilitate human rights violations around the world on a massive scale, as revealed by a major investigation into the leak of 50,000 phone numbers of potential surveillance targets. These include heads of state, activists and journalists.

The investigation also revealed that Pegasus zero-click attacks have been used to install spyware on iPhones. Amnesty International was able to confirm that thousands of iPhones were listed as potential targets for Pegasus spyware, though it was not possible to confirm how many were successfully hacked.   

Thousands of Google Android phones were also selected for targeting, but unlike iPhones their operating systems do not keep accessible logs useful for detecting Pegasus spyware infection. Among the Apple products successfully infected were iPhone 11 and iPhone 12 models, equipped with the latest updates which were believed to have high levels of security.  These attacks exposed activists, journalists and politicians around the world to the risk of having their location and activity monitored and their personal information used against them, Ingleton says. 

Since its initial discovery by Lookout and Citizen Lab in 2016, Pegasus has continued to evolve, says Aaron Cockerill, Chief Strategy Officer at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company. "It has advanced to the point of executing on the target’s mobile device without requiring any interaction by the user, which means the operator only has to send the malware to the device. Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps."

Cockerill explains that every day, the research teams at Lookout observe advanced techniques used by the likes of the NSO Group. "There has been a trend where these techniques are being adopted more frequently by consumer-grade surveillanceware and spyware vendors. This could put very powerful surveillance tools in almost anyone's hands."  Lookout has also observed a similar trend in the ransomware market, where ransomware-as-a-service has made it possible for threat actors without much experience to execute these campaigns.  

As mobile devices continue to be a primary attack vector for cybercriminals and continue to be an integral part of life, "these mobile devices need to be secured with as much, if not more priority than any other device. As smartphones continue to evolve, security continues to improve. However, so does the breadth and complexity of the existing software codebase, with millions of lines of code which need to be secured," Cockerill explains. 

This is a time for us to get behind Apple and others (including Google) as they up the ante against what was originally intended to be "spyware" for societal good, says Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based provider of application security. "The line between acceptable surveillance (if any) and privacy intrusion is very thin. In this case, Pegasus being used to target political opponents is well in the realm of crime and should be dealt as such. For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors. For law makers, this is a moment of reckoning as well to create consequences for misuse of such utilities," Kulkarni says. "I hope this does not end up in a situation where the measures taken end up taking away an otherwise legitimate tool (NSO claims that it provides cyber intelligence for global security and stability) that law makers have to keep society safe. Ultimately, for NSO, Apple and law agencies – the lesson is that with great power comes great responsibility. It is time to step it up and find a way forward where NSO, Apple and law agencies can further improve their collaboration rather than take a step back."

Cockerill provides the following recommendations for Security and IT Admins:

"The number and variety of individuals targeted by Pegasus shows that advanced spyware and surveillanceware isn’t just the concern of governments. Security and IT teams need to be able to detect surveillanceware and device exploitation across all employee smartphones and tablets. If this malware is detected on a device, they should be able to block the device from accessing corporate resources until the issue is resolved. Protection against mobile phishing attacks is also a key part of securing the entire organization against surveillanceware campaigns. These attacks frequently start with a phishing attack that delivers the malicious payload to the device. Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps. Implementing mobile phishing protection will secure both managed and BYOD devices from compromise before the connection can be made and the payload is executed.  

Most other vendors in a similar position, such as Google and Microsoft, actively engage with third parties to identify vulnerabilities and protect against malware and other attacks. For example, the underlying mechanics of the Android operating system are fully available via open source. Google submits all apps that developers seek to publish on their Play store to Lookout and other 3rd parties for review before they are published. 

Apple relies on its own internal security reviews as well as responsible disclosure from 3rd parties to be made aware of security flaws in its software. As a closed ecosystem, Apple’s code is not publicly available for review. This means vulnerabilities may remain undiscovered by attackers for longer, but they may also not be so readily discovered and reported by security researchers and other responsible parties. On top of ensuring the security and integrity of its own software, Apple faces the additional challenge of doing the same for millions of apps developed by third parties and submitted to the App Store. The Apple App Store review process takes advantage of automated and human driven analysis to identify and remove malicious software, or software not adhering to Apple’s development guidelines - https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps.pdf

So, is Apple at risk of losing its prized reputation for privacy and security?

Apple aims their statements about security and privacy at consumers. However, the majority of the individuals targeted by the NSO group are not categorized as typical consumers and Apple needs to recognize that securing these individuals may require help from third parties."