Spyware attack forces Apple’s hand, iOS patch rushed out

26 Aug 2016

A ‘Trident’ attack on Apple’s iOS mobile platform has been discovered after an Arab human rights activist was targeted. As a result, iOS 9.3.5 has been released to patch the problems.

It’s rare you hear of major security breaches in iOS products. It’s not because they are rare themselves, but the Android market is so big it’s an easier target for hackers.

That has all changed in recent months, though, with a growing number of cyber-criminals targeting Apple’s platform. On occasion, they get through. And, on occasion, the story is so Jason Bourne, it’s scary.

iOS Apple

Earlier this month, Ahmed Mansoor, a 46-year-old human rights activist from the UAE, received a couple of odd text messages asking him to click through a link to gain more information about abuse in prisons in the Arab world.

Mansoor thought it was odd and sent the messages on to cybersecurity researchers at Citizen Lab and, by extension, Lookout. What they found, explained in minute detail here, was three vulnerabilities in iOS never seen before.

In short, clicking the link compromised Safari, opening a window. It compromised the kernel of the phone. And it installed a replacement kernel. The latter stage effectively hands the phone, and all of its controls and contents, over to the hackers.

“I’m a regular target for the authorities here,” said Ahmed in The Washington Post. “Every time they get new spyware, they seem to try it out on me.”

Citizen Lab and Lookout claim to have traced the malware to an Israeli organisation called the NSO Group and its commercial Pegasus product, with Citizen Lab hinting to links between the NSO Group and attacks in Mexico, Panama and the US in the past.

“Apple was very responsive and patched Trident in its 9.3.5 update,” said Lookout’s Mike Murray. “All iOS users should update to this version immediately.”

This is apparently the third time Mansoor was attacked with what’s called a “lawful intercept” spyware suite. According to Citizen Lab, in 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System.

“The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting,” the company claims.

Apple’s patch is available right now, with the details in a post by the company here. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” it said.

Main iOS image via Ellica/Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com