Advanced Israeli malware: no interaction, no trace

Israeli spyware was used to hack the phones of dozens of Al-Jazeera staff (Osama Bhutta - Flickr)

Tamara Nassar

The Electronic Intifada  /  December 29, 2020

There is advanced Israeli malware that can hack into your device without requiring you to interact with it or leaving a visible trace.

In earlier versions, the malware produced by Israeli spy firm NSO Group required a target to click a link or open a document.

In more recent versions, the targeted person may still receive a message or phone call containing the malware, but their device can be infected without them having to click on anything.

None of that is required any longer.

The phones of dozens of media personnel have been infected with the advanced spyware, the Canadian cybersecurity organization Citizen Lab has revealed.

Suspected government agents used malware produced by NSO Group to hack into the phones of 36 journalists, producers, anchors and executives at Al Jazeera, and the phone of a journalist at the London-based Al Araby between July and August.

Citizen Lab named Palestinian investigative journalist Tamer Almisshal and Moscow correspondent Ranya Dridi as two of the Al Jazeera journalists whose phones were breached.

Dridi’s phone was hacked at least six times within nine months, according to Citizen Lab.

Citizen Lab concludes with “medium confidence” that the United Arab Emirates was behind hacking 15 of the phones, while Saudi Arabia was behind another 18 intrusions. Four other phones were breached by two other operators.

One of the phones targeted by the operator linked with the UAE used the same internet domain name that was used to hack Emirati human rights advocate Ahmed Mansoor with NSO Group software in 2016.

The UAE has also previously used NSO Group malware in attempts to spy on Qatar’s Emir Tamim bin Hamad Al Thani, Lebanese Prime Minister Saad Hariri and a Saudi prince, The New York Times reported in 2018.

No interaction, no trace

Earlier versions of NSO Group’s Pegasus software required the targeted person to interact with the malware by clicking on a link or opening a document sent by those doing the spying.

That would then allow for the installation of sophisticated malware on the device that can go undetected and send the user’s personal data to the spies.

This can include locations, recordings, screenshots, emails, text messages, passwords and pictures.

Since at least 2016, newer versions did not require the recipient to interact with the malware.

More recently, it appears that NSO Group’s software has advanced to the point that not only does it require no interaction with the malware, but it also leaves no visible trace on the infected device.

Spies appear to have used iMessage, the messaging application on all Apple computers, phones and tablets, to infect targeted devices.

One reason the Apple devices were vulnerable, according to Citizen Lab, is that iMessage has historically not been “sandboxed.” This is a programming technique that isolates apps in the system from each other to avert security vulnerabilities.

Such infections have also been previously done through WhatsApp, the popular messaging app owned by Facebook.

Citizen Lab said the devices it inspected are likely “a minuscule fraction of the total attacks leveraging this exploit.”

The organization said it has contacted Apple with its findings.

Citizen Lab also warned of the “apparent vulnerability of almost all iPhone devices prior to the iOS 14” – the latest software update for Apple mobile devices.

While the group found “no evidence” that the latest version of iOS is vulnerable, it advised users to always perform system updates on their devices. It also warned that “NSO Group is constantly working to develop new vectors of infection.”

Lawsuit

These advances hint at a frightening terrain in the global surveillance industry.

Citizen Lab said such innovations are “part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance.”

They make it “increasingly difficult” to trace such attacks, while making it easier for governments to “facilitate the continued abuse of human rights while evading public accountability.”

Facebook is suing the Israeli firm for exploiting a flaw in its WhatsApp messaging service to spy on hundreds of people, including American citizens’ phones.

Now, several Silicon Valley giants are supporting the legal fight against NSO Group.

Microsoft, Google, LinkedIn, Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association filed an amicus last week backing Facebook’s lawsuit.

The firms call the spying tools NSO Group makes “powerful and dangerous.”

In a blog post from a senior executive, Microsoft warned that “companies like the NSO Group threaten human rights whether they seek to or not” and conduct their “dangerous business without legal rules, responsibilities or repercussions.”

Legal “cloak”

While NSO Group claims only to sell its spyware to governments for legitimate purposes such as law enforcement, that has not stopped the technology from being abused.

Microsoft however accuses the firm of “attempting to cloak itself in the legal immunity afforded its government customers” so that it can shield itself from accountability “when its weapons inflict harm on innocent people and businesses.”

NSO Group has been embroiled in various scandals in recent years involving its software being used to target the phones of reportershuman rights workers and government officials.

Despite the firm’s notorious role in what Citizen Lab calls “surveillance abuses,” several European countries, including the Netherlands and Sweden, have been cozying up to Israel’s tech industry – which is intricately tied to its military and espionage apparatuses.

NSO Group’s board of directors and management are studded with former Israeli government officials, cyberwarfare army veterans and intelligence officials.

Tamara Nassar is an assistant editor at The Electronic Intifada