Apple patches against alleged NSO Group zero-click exploit used on activists

Apple released a patch Monday against two security vulnerabilities, one of which the Israeli surveillance company NSO Group has exploited, according to researchers.

The updated iOS software patches against a zero-click exploit that uses iMessage to launch malicious code, which in turn allows NSO Group clients to infiltrate targets — including the phone of a Saudi activist in March, researchers at Citizen Lab said.

The exploit uses a manipulated gif to crash Apple’s image rendering library. It then launches spyware that researchers say shares distinct features with NSO Group’s Pegasus spyware. Researchers have named the exploit “FORCEDENTRY.”

Zero-click exploits prove especially dangerous because they don’t require users to open the malicious message or link for hackers to gain access to your phone.

Researchers are urging Apple Mac, iPhone and Apple Watch users to immediately update their iOS software. The NSO Group exploit was a zero-day, or previously unknown, vulnerability.

It’s just the latest in a number of zero-click exploits against iOS used by NSO Group in recent years. Hackers suspected of working for the governments of Saudi Arabia and the United Arab Emirates breached three dozen devices belonging to Al Jazeera journalists in 2020 using a zero-click iPhone exploit and NSO Group spyware, Citizen Lab reported in December.

While Apple released a security feature in its iOS 14 update to protect against such attacks. researchers at both Citizen Lab and Amnesty Tech found successful zero-click exploits being used to infiltrate phones with iOS 14.6 as recently as July. Citizen Lab reported last month that government hackers used NSO Group zero-click exploits to infiltrate the phones nine Bahraini activists. The Bahrain government denied the claims.

Another vulnerability patched in Monday’s update affected WebKit, the engine Apple uses to display Safari. The vulnerability allowed hackers to use “maliciously crafted web content” to exploit iPhones and iPads that launched the content. Apple attributed the vulnerability to an anonymous researcher. The flaw is the thirteenth vulnerability with WebKit that Apple has addressed this year.

NSO Group declined to comment on the allegations.

“NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime,” a spokesperson wrote in an email to CyberScoop.

Updated 9/13/21: with comment from NSO Group.