Skip to main content

Report: active zero-click iMessage exploit in the wild targeting iPhones running the latest software, used against activists and journalists

An explosive report from Amnesty International interpreted device logs to reveal the scope of targeted malware attacks in active use targeting Android and iPhone devices, since July 2014 and as recently as July 2021. Exploited devices can secretly transmit messages and photos stored on the phone, as well as record phone calls and secretly record from the microphone. The attack is sold by Israeli firm NSO Group as ‘Pegasus’.

Whilst the company claims to only sell the spyware software for legit counterterrorism purposes, the report indicates it has actually been used to target human rights activists, lawyers and journalists around the world (as many have long suspected).

Perhaps most alarming for iPhone users, the findings show that there are active exploits against iPhones running the latest iOS 14.6 software, including ones that take advantage of a zero-click vulnerability in iMessage that can install the spyware without any user interaction.

Over the last few years, the Pegasus software has adapted as Apple fixed security bugs with iOS. However, each time, NSO Group has been able to find alternative security bugs to use instead. The lengthy report details several different variants of Pegasus that have been used in the wild.

The records indicate that, in 2019, a bug in Apple Photos allowed malicious actors to gain control of an iPhone perhaps via the iCloud Photo Stream service. After the exploit installs itself, crash reporting is disabled likely to prevent Apple from discovering the exploit too quickly by looking at submitted crash report logs.

Also in 2019, Amnesty says that an iMessage zero-click 0-day was widely used. It appears the hackers create special iCloud accounts to help deliver the infections. In 2020, Amnesty found evidence to suggest that the Apple Music app was now being used as an attack vector.

And fast forwarding to the present day, Amnesty believes Pegasus spyware is currently being delivered using a zero-click iMessage exploit that works against iPhone and iPad devices running iOS 14.6. The exploit also appeared to successfully work against iPhones running iOS 14.3 and iOS 14.4.

Apple significantly rewrote the internal framework that handles iMessage payloads as part of iOS 14, with a new BlastDoor subsystem, however clearly that has not fazed the intruders. It remains unknown whether iOS 14.7 — which will be released to the public this week — or iOS 15 — currently in developer beta — are susceptible to the same zero-click exploit. Perhaps what’s more scary is the fact that NSO Group seems more than able to find and deploy new exploits as soon as Apple patches the current holes, as shown by the five year history of evolving attack vectors reported by Amnesty.

Check out the Amnesty International post for a full detailed breakdown of all the evidence they have published.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications