Apple announced last month that it had filed a lawsuit against NSO Group, the company behind the advanced “Pegasus” spyware that targets iPhone and Android devices. Now, researchers at Google’s Project Zero have gone an in-depth on Pegasus, calling it “one of the most technically sophisticated exploits we’ve ever seen.”
Pegasus spyware is capable of allowing hackers to access the microphone, camera, and other sensitive data from iPhone users. While earlier versions of the spyware required users to click on a link sent via iMessage, that newest version is a zero-click exploit. This means that targeted users do not have to click or interact with the attack at all in order for it to be effective.
In an interview with Wired, Project Zeros’s Ian Beer and Samuel Gross explained:
We haven’t seen an in-the-wild exploit build an equivalent capability from such a limited starting point, no interaction with the attacker’s server possible, no JavaScript or similar scripting engine loaded, etc. There are many within the security community who consider this type of exploitation — single-shot remote code execution — a solved problem. They believe that the sheer weight of mitigations provided by mobile devices is too high for a reliable single-shot exploit to be built. This demonstrates that not only is it possible, it’s being used in the wild reliably against people.
The Project Zero researchers say that this represents one of the most sophisticated exploits ever seen:
Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
You can read more from the Project Zero team in a blog post on the Google Project Zero website as well as in this interview with Wired.
FTC: We use income earning auto affiliate links. More.
Comments