SAN FRANCISCO — Apple rushed out a new security update for iPhones Thursday after it was revealed that an Israeli company had been selling and exploiting security vulnerabilities to Apple products.
The Israeli NSO Group, a company so secretive it has repeatedly changed its name to avoid notice, was selling software to state governments that was then used to infiltrate iPhones, gaining access to text messages, emails, contacts, and calls, according to a new report released Thursday by researchers at Citizen Lab, an interdisciplinary group at the University of Toronto, and Lookout, a San Francisco mobile security company.
The vulnerabilities, known as “zero days” because they were previously unknown to Apple, grant total access to an iPhone through a spear-phishing text message. Those text messages were designed to mimic the types of message a user might receive from a legitimate site, said the report. Among those impersonated to get users to click on the links: the Red Cross, Facebook, Google, and even the Pokémon Company. Once clicked, the message downloaded malware, which gave the attackers total access to the phone.
"We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5," Apple said in a statement provided to BuzzFeed News. "We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits."
Lookout’s vice president of research, Mike Murray, told Motherboard that NSO was “basically a cyber arms dealer,” and that the type of malware used by NSO had never been seen before.
“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” Murray told Motherboard. “One of the most sophisticated pieces of cyber espionage software we’ve ever seen.”
An NSO Group spokesperson did not answer a request for comment by BuzzFeed News. An NSO Group spokesman told the New York Times in an email, “The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations.”
The malware used by NSO was discovered when Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, noticed a strange text message on the morning of Aug. 10. Mansoor, who had previously been a victim of government cyber-espionage with tools purchased for FinFisher and Hacking Team — companies that compete with NSO — was suspicious of the message and forwarded it to Citizen Lab.
The report found that other NSO targets included activists and journalists in Yemen, Turkey, Mozambique, Mexico, Kenya, and the UAE.
Zero days are often sold to private companies and governments eager to break into devices in backroom deals that can net millions of dollars. Flaws in Apple’s iOS system are rare; in one public sale last year, the cybersecurity company Zerodium bought a zero-day exploit for an iPhone for $1 million.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.