This is How NSO Group’s Spyware Was First Discovered on an iPhone

BY Chandraveer Mathur

Published 18 Feb 2022

iPhone 13 rear

Apple dragged Israeli spyware maker NSO Group to court for targeting and surveilling iPhone and Mac users around the world. Interestingly, the foundation of this case was based on one residual file left by the spyware on an iPhone belonging to Saudi women’s rights activist Loujain al-Hathloul. Here’s the story of the discovery that turned the tide against NSO Group.

The NSO Group’s Pegasus spyware was found targeting several journalists, activists, and politicians in various parts of the world. The tool was intended for sale to governments for undetectable domestic surveillance. It was first caught in the wild when Al-Hathloul found a mysterious fake image file left on her iPhone by the spyware. The activist was imprisoned until February 2021 for “harming national security.” Upon her release, Google warned her that state-backed entities attempted to access her Gmail account. The activist was afraid her iPhone had been compromised as well. So, she requested Canadian privacy rights group Citizen Lab to sift through her iPhone’s files for evidence of hacking.

Al-Hathloul told Reuters that after six months, Citizen Lab researcher Bill Marczak made an “unprecedented discovery” in the form of the fake image file. The file contained code that directly linked NSO Group to the espionage tool used to hack Al-Hathloul’s iPhone. The spyware was communicating with servers Citizen Lab had previously linked to NSO Group. The report states that Marczak’s analysis was corroborated by Amnesty International researchers and Apple itself. Marczak says this discovery was a proverbial “shell casing from the crime scene.” It provides unshakeable evidence that cyberespionage tools can access the victim’s devices undetected, without any manual input from them.

Zero-click malware attacks, such as the one used to attack Al-Hathloul, usually delete themselves after infecting the victim’s device. This leaves security researchers with no breadcrumbs that could lead back to the spyware developers and attackers. The method used to compromise the Saudi activist’s iPhone was eventually named “ForcedEntry.” Apple was given samples of the exploit in September 2021 and the iOS 14.8 update patched this vulnerability. Subsequently, another Israeli vendor called QuaDream was found exploiting the ForcedEntry exploit.

Would Pegasus have been discovered if it hadn’t left any traces on Al-Hathloul’s iPhone? Tell us what you think in the comments section!

[Via Reuters]