Image: Maulik Sutariya via Unsplash

NSO Group used iOS exploits to spy on human rights advocates: Citizen Lab

The controversial Israeli spyware tool Pegasus exploited vulnerabilities in Apple's operating system to carry out at least three attacks on iPhone users last year, according to newly released research.

Citizen Lab, a watchdog group based at the University of Toronto, revealed that last year NSO Group customers deployed at least three iOS 15 and iOS 16 zero-click exploits to infect the devices of human rights activists around the world, including two in Mexico from an organization representing victims of military abuses in the country.

The spyware developed by the company NSO Group can surreptitiously access calls, messages, and photos, or turn on a device's camera and microphone, or track its location.

Pegasus is typically installed through a "zero-click" attack, meaning the user does not need to click on any link or download any file to be infected. Instead, the spyware exploits vulnerabilities in the device's operating system to gain access.

After an investigation into the spyware intrusions, Apple released several security improvements to its HomeKit software in iOS 16.3.1 in October 2022.

Jorge Santiago Aguirre Espinosa, the director of Centro Prodh, which advocates for victims of military abuse, was previously infected with Pegasus in 2017, and the spyware was also active on his device in June and July last year. Another Centro Prodh advocate, María Luisa Aguilar Rodríguez, was infected twice last September.

Mexico’s government and military have a long history of human rights abuses, extrajudicial killings, and disappearances. The New York Times released an investigation this week revealing that Mexico's military is reportedly the longest-standing client of Pegasus, and has used the spyware to target more cell phones than any other government agency in the world.

The Mexican military is reportedly the sole operator of Pegasus in the country. The Mexican government has spent more than $60 million on the Israeli spyware, according to the investigation. A previous CitizenLab investigation, alongside the nonprofit R3D, found that Pegasus was deployed against local journalists and human rights activists in the country.

In its report released on Tuesday, Citizen Lab did not disclose the third victim of the spyware infection. However, the day after the report was released, the Israeli news outlet Haaretz published an article describing how Pegasus had been used to target an Israeli citizen who was involved in the country's protest movement. Citizen Lab analyzed his iPhone and confirmed that it had been infected with Pegasus since last November. It is currently unclear who was responsible for carrying out the attack.

Zero-click exploits

Citizen Lab identified three zero-click exploits targeting various apps and features on iPhone.

The first, dubbed LATENTIMAGE, in January 2022. It appears to leave very few traces on the device, making it hard to detect. This exploit launches the Pegasus spyware via springboard — an iOS home screen that allows users to customize their devices by arranging their apps, creating folders, and adding widgets.

The second zero-day and zero-click exploit, FINDMYPWN, was deployed against iOS 15 beginning in June 2022. It first targets the iPhone’s Find My feature, and then iMessage.

The third exploit, PWNYOURHOME, was deployed against Apple Home and iMessage starting in October 2022. Targets who activated iOS 16's Lockdown Mode feature were warned in real-time if someone tried to exploit their devices with PWNYOURHOME.

“While NSO Group may have found a way to bypass this warning, we have not seen any successful PWNYOURHOME attacks on devices that have Lockdown Mode enabled,” Citizen Lab said.

The researchers said that NSO Group is improving its spyware to evade detection. For example, in contrast to previous versions of Pegasus, the versions deployed in 2022 appear to more thoroughly remove data from various iPhone log files, in an attempt to thwart researchers from understanding the nature of the vulnerabilities exploited to compromise phones, Citizen Lab said.

At the time of publication, NSO Group had not responded to the request for comment from The Record.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.