APPLE has been forced to issue a global update of its mobile operating system after an established private cyberarms dealer found a way to hack every iPhone in the world.
The hackers from NSO Group developed a sophisticated piece of malware that exploited three previously unknown vulnerabilities in Apple’s iOS.“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” a spokesman told AP.
New joint reports from Citizen Lab and mobile security company Lookout said this was a world first for an attack of this kind in the wild.
Lookout vice president of research Mike Murray said the hack was essentially a remote jailbreak — the process of removing software restrictions imposed by iOS.
“We realised that we were looking at something that no one had ever seen in the wild before,” he told Motherboard.
“Literally a click on a link to jailbreak an iPhone in one step. [It is] one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Mr Murray said the malware, codenamed Pegasus, gave attackers full control of the smartphone.
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the Face Time calls,” he said.
“It also basically back doors every communications mechanism you have on the phone,”
“It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram — you name it.”
Since being established in 2010, NSO has become notorious for selling its sophisticated malware to governments.
However, the group largely works in stealth, operating without any web presence other than a LinkedIn profile, which says the company has between 201 and 500 employees.
Citizen Lab researcher Bill Marczak said breaking down the malicious program was compared to “defusing a bomb”.
“It is amazing the level they’ve gone through to avoid detection,” he said. “They have a hair-trigger self-destruct.”
“This is the first time any security researchers, as far as any of us are aware, have ever gotten a copy of NSO Group’s spyware and been able to reverse-engineer it,” he told Wired.
“They are a really sophisticated threat actor and the software they have reflects that. They are incredibly committed to stealth.”
The threat was initially found after human rights activist from the United Arab Emirates, Ahmed Mansoor, received a text message offering “new secrets about torture of Emiratis in state prisons” with a link from an unknown number.
Having previously fallen victim to government hackers using commercial spyware products, Mr Mansoor flagged the message with Citizen Lab.
“As a human rights defender in a country that considers such a thing as a threat, an enemy or traitor, I have to be more careful than the average person,” he told Wired.
“Such content was enough to trigger all the red flags with me,”
While NSO Group won’t be able to use this particular attack anymore on updated iPhones, it’s likely another won’t be far behind.
To update your iPhone go to Settings>General>Software Update.
Continue the conversation on Twitter @mattydunn11