Instead of clicking he sent it to Toronto-based rights group Citizen Lab for inspection.
The ensuing investigation, in collaboration with Lookout Security, revealed a highly sophisticated exploit chain designed to deliver Pegasus – what Citizen Lab described as “a government-exclusive ‘lawful intercept’ spyware product designed by Israeli-based “cyber warfare” research firm, NSO Group.
The three Zero Days patched by Apple are: CVE-2016-4655, a kernel base mapping vulnerability that leaks info, allowing an attacker to calculate the kernel’s location in memory; CVE-2016-4656, a kernel-level flaw enabling an attacker to jailbreak the device and install spyware; and CVE-2016-4657 – a Safari WebKit bug which allows an attacker to compromise a device if the user clicks on a link.
Together, the three flaws – called Trident – deliver Pegasus spyware, which Lookout said in a post have been out “for a significant amount of time” and “is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists,” Lookout researchers said. “It is modular to allow for customization and uses strong encryption to evade detection.”
The malware allows a remote attacker to monitor emails, texts, location, browsing history, device settings, IM, microphone, phone calls, calendar records – literally anything the victim does on their device.
CVE-2016-4655 is an information leak in the Kernel that could result in information leaking to the attacker, thus allowing them to calculate the kernel’s location in memory. To address the issue, Apple has improved input sanitization to ensure the kernel cannot end up mapped out.
CVE-2016-4656 is a memory corruption bug that could lead to jailbreak. The 32 and 64-bit iOS kernel-level vulnerability can end up triggered silently, thus allowing an attacker to jailbreak the device and install surveillance software without user knowledge. Apple addressed this bug through improved memory handling.
CVE-2016-4657 is a memory corruption bug in the Safari WebKit, which allows an attacker to compromise the device when a user clicks on a link. By crafting a special website and tricking the user into visiting it, an attacker could execute arbitrary code on the device. This security issue was also addressed through improved memory handling.