Skip to content ↓ | Skip to navigation ↓

Listen up, iOS users! Apple has fixed three vulnerabilities in its mobile operating system that were sold with and exploited by a spyware kit.

On 25 August, Apple released iOS 9.3.5. The upgrade plugs three security holes, which affect all Apple mobile devices including and newer than iPhone 4s, iPad 2, and iPod touch (5th generation):

  • CVE-2016-4655: A validation issue where an application could disclose kernel memory. It was fixed via improved input sanitization.
  • CVE-2016-4656: A memory corruption issue where an application could execute code with kernel privileges. It was fixed via improved memory handling.
  • CVE-2016-4657: A memory corruption issue where arbitrary code execution could result from visiting a malicious website. It was fixed via improved memory handling.

On their own, the three flaws are bad enough. But stringing them together is even worse. It creates “Trident,” an attack sequence where a bad actor can use a specially crafted text to trick a user into visiting a malicious website. That site, in turn, exploits the three Apple vulnerabilities to deliver a malware payload, all without the user’s knowledge.

Screen Shot 2016-08-26 at 6.48.07 AM
Trident’s attack sequence (Source: Lookout)

Not just any payload, however.

Trident is the latest exploit code sold with a spyware product called “Pegasus.” Developed by NSO Group, the kit uses obfuscation, encryption, and exploitation of zero-days at the kernel level to get what it wants: information.

Researchers at Lookout and Citizen Lab elaborate on Pegasus’ capabilities:

“In this case, the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.”

Pegasus documentation (Source: Citizen Lab)

The joint research team first learned about Trident after they were contacted by Ahmed Mansoor, a UAE-based human rights activist. Mansoor said he received a suspicious SMS message. Rather than click on it, he sent it to researchers for analysis.

Their investigation found evidence that state-sponsored actors may have used the exploit code to target individuals in Kenya, Mexico, and other locations.

In this day and age, you can never be too careful around an off-kilter SMS message. Don’t click on anything that comes across as suspicious. In the meantime, all iOS users should update their devices as soon as possible.

For more information about Trident and Pegasus, please read Citizen Lab’s and Lookout’s separate reports here and here, respectively.

News of these vulnerabilities come less than a month after Apple announced the creation of a bug bounty program.