Google Project Zero security researchers, a team formed in 2014 to study vulnerabilities, said in a blog post that the NSO Group’s iMessage-based “zero-click” exploit is “one of the most technically sophisticated exploits we’ve ever seen” with capabilities that rival those “previously thought to be accessible to only a handful of nation states.”

The NSO Group is an Israel-based firm that made headlines earlier in 2021 for the Pegasus spyware responsible for the said exploits. It was found to have been deployed against activists and journalists, among other targets, in a Project Pegasus exposé by the University of Toronto’s Citizen Lab and Amnesty International in July 2021.

A zero-click exploit is a hacking technique in which no user interaction is required, said the researchers Ian Beer and Samuel Groß. This means that “the attacker doesn’t need to send phishing messages; the exploit just works silently in the background.” 

“Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense.” 

In this particular case, Apple patched the vulnerability on September 13, 2021, in iOS 14.8. 

The researchers also said that they only had samples of the Apple malware but called out for potential samples from Android devices. “We are aware that NSO sells similar zero-click capabilities which target Android devices; Project Zero does not have samples of these exploits but if you do, please reach out,” the researchers said. 

Providing context, the researchers noted in 2016 that prior to zero-click exploits there were one-click exploits. Citing the case of the “Million Dollar Dissident” from 2016, targets were sent links in SMS messages, and the target was hacked when they clicked a link. Google shared images of the SMS-based one-click exploits:

A technically savvy individual may know enough to not click on strange links. But in the case of zero-click exploits, even the tech-savvy may be unaware that they’re being targeted. Once the exploit succeeds, the spyware can eventually secure access to the device’s data and functions. 

The researchers offered a detailed analysis of how NSO Group’s exploit works but in a nutshell, it infects iPhones through a GIF sent on iMessage. Attackers only need to know one’s mobile number or Apple ID to launch an attack on a target. The hack works by exploiting a vulnerability in how iMessage processes GIFs. A GIF is sent to iMessage that includes a malicious PDF that requires no action from the user to activate. 

As Wired noted in its report,: “The attack exploited a vulnerability in a legacy compression tool used to process text in images from a physical scanner, enabling NSO Group customers to take over an iPhone completely. Essentially, 1990s algorithms used in photocopying and scanning compression are still lurking in modern communication software, with all of the flaws and baggage that come with them.” 

John Scott-Railton, Citizen Lab senior researcher told Wired: “It’s really sophisticated stuff, and when it’s wielded by an all-gas, no-brakes autocrat, it’s totally terrifying. And it just makes you wonder what else is out there being used right now that is just waiting to be discovered. If this is the kind of threat civil society is facing, it is truly an emergency.” – Rappler.com