conejota - Fotolia
Businesses and consumers are being urged to update the operating systems on their Apple mobile devices without delay.
When exploited, the three vulnerabilities form an attack chain that subverts even Apple’s strong security, enabling attackers to spy on victims by collecting information from apps including Gmail, Facebook, Skype, WhatsApp, Calendar, FaceTime, Line, Mail.Ru and others.
This is the first active mobile threat that takes complete control of an Apple device with just one-click, the researchers said.
“This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment,” said Mike Murray, vice-president of security research and response at Lookout.
A key lesson from the Trident attack for enterprise CISOs and CIOs is that “mobile devices and enterprise intellectual property are being targeted by sophisticated corporate espionage,” he wrote in a blog post.
Trident used in Pegasus spyware
According to the researchers, Trident is used by Israeli security startup called the NSO Group in its mobile spyware product, Pegasus.
The company, which appears to have no website, is thought to rely on exploiting security vulnerabilities in consumer software to help law enforcement and spies, but also claims it can help monitor smartphones of people targeted by government agencies, according to the Wall Street Journal.
The Pegasus spyware is extremely sophisticated and modular to allow for customisation, and uses strong encryption to evade detection.
Citizen Lab recently caught the first in the wild sample of the iOS version of Pegasus, describing in a report how a government targeted an internationally recognised human rights defender, Ahmed Mansoor, with Trident.
However, the researchers said they are aware that the NSO Group advertises similar products for Android and Blackberry to spy on victims.
Read more about mobile malware
According to the researchers, Pegasus is the most sophisticated attack seen on any endpoint because it takes advantage of how integrated mobile devices are in people’s lives and the combination of features only available on mobile: always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords and contact lists.
The three vulnerabilities that make up Trident and have been patched by Apple in the 9.3.5 security update to iOS are:
- A kernel base mapping vulnerability that leaks information that enables attackers to calculate the kernel’s location in memory. (CVE-2016-4655)
- A kernel-level vulnerability that allows attackers to jailbreak the device and installs surveillance software.
What makes this specific type of attack particularly sophisticated is in the number of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction, said Guillaume Ross, senior security consultant at Rapid7.
“This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone and then persists on to the device,” he said.
“Jailbreak software is regularly released publicly and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.”
Lookout researchers are urging all iOS users, individuals and businesses to update to the latest version of the mobile operating system as soon as possible.
Apple said in a statement: “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”