Written by Timothy Stover
What can it do:
NSO Group created the Pegasus Spyware. The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking and accessing pictures and video, and accessing passwords and stored credentials.
Over the past few years, NSO exploits have increasingly required no user interaction—such as visiting a malicious website or installing a malicious app—to work. One reason these so-called zero-click attacks are effective is that they have a much higher chance of success since they can strike targets even when victims have considerable training in preventing such attacks.
There have been a few instances of something similar in the past:
In November 2019, Google Project Zero security researcher Ian Beer showed how attackers take complete control of an iPhone in radio proximity without any user interaction. He claimed his exploit targeted the Apple Wireless Device Link (AWDL), the peer-to-peer wireless connectivity protocol that iOS devices use to talk to each other. Apple patched this when it released iOS 13.3.1, but accepted that it was powerful enough to “shut off or reboot systems or to corrupt kernel memory”.
Earlier this year, cybersecurity firm ZecOps claimed iPhones and iPads have had a traditional vulnerability to unassisted attacks, especially with its mail app. From iOS 13, this became a vulnerability to zero-click attacks too. “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory,” a ZecOps blog published this April. Apple reportedly patched this in April 2020.
Android is not immune:
On Android phones running version 4.4.4 and beyond, the vulnerability was via the graphics library. Attackers have also exploited vulnerabilities in Whatsapp, where a phone could be infected even if an incoming malicious call was not picked up, and in Wi-Fi, chipsets users to stream games and movies. So how did Pegasus Spyware, get access? Via an email that wasn’t even clicked on…just received. In Claude Mangin’s case, a Gmail user going by the name “linakeller2203.”
Now the normal user shouldn’t be too worried, this is military spyware, that is “supposedly used for tracking terrorists and criminals” but was found on journalists, human rights activists, and even some business executives! Hmm….makes you wonder though.
Can zero-click attacks be prevented?
Well..kind of but no, Zero-click attacks are hard to detect given their nature and hence even harder to prevent. Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
One of the things users can do is to ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted. Also, it would make sense to not sideload any app and to download only via Google Play or Apple’s App Store.