Apple advises immediate update to iOS 9.3.5 after discovery of targeted iPhone spyware

ios 9 icon

Apple released an update to iOS 9 on Thursday—iOS 9.3.5—that patches multiple critical zero-day vulnerabilities that have been shown to already have been deployed, allegedly by governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security. Apple turned around an update within 10 days from when the company received Citizen Lab’s initial report. The update is recommended immediately for all iOS 9 devices.

When used together, the exploits allow someone to hijack an iOS device and control or monitor it remotely. Hijackers would have access to the device’s camera and microphone, and could capture audio calls even in otherwise end-to-end secured apps like WhatsApp. They could also grab stored images, tracking movements, and retrieve files.

Some of the exploits may have been discovered months ago or longer, so there’s no way to know how widely they’re in use, but details suggest these active exploits in previous versions of iOS 9 weren’t in wide use and were deployed against individual targets.

“What we have seen from looking at these exploits is that it seems that they have been in the wild a bit longer than the 9.3.3/9.3.4 timeframe,” report co-author Bill Marczak of Citizen Lab said in an interview. iOS 9.3.3 was released on July 18.

An Apple spokesperson said, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”

Jailbreaks have been demonstrated but not yet released for iOS 9.3.4, and it’s possible those jailbreaks relied on one or more aspects of the three flaws now patched.

Zero-day exploits in iOS aren’t uncommon, based on efforts by jailbreakers, security researchers, and companies that sell flaws to governments (some of them selling to anyone who pays) at prices that can hit $500,000 to $1 million. However, this appears to be the first time the action of major active exploits was captured in the wild and thoroughly documented. Marczak said his organization had been tracking the infrastructure behind the exploit for some time before an activist forwarded phishing links, which matched against a domain Citizen Lab had already been following.

The odds of any combination of these exploits being used to hit iOS users broadly are very low, as any widely-exploited bugs would have been observed by researchers and Apple. It’s most likely the flaws were kept close to the vest by any parties who discovered them, and were deployed for use only with high-value subjects of government or criminal syndicate interest.

As Lookout Security noted, “The going price for Pegasus [a mobile espionage product] was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.”

Nonetheless, it’s critical to install the update now that the exploits have been documented, as attackers may attempt to weaponize this approach for out-of-date devices. However, Marczak noted, “It was a fairly sophisticated exploit and we did omit some details about which functions were vulnerable,” so criminal organizations may not be able to take advantage before most iOS users have updated.

Users should also avoid—now and forever! —clicking on links in SMS messages from unknown parties. Because SMS messages can be spoofed, it may be dangerous even from known parties.

How the exploits work

Citizen Lab is a project at the University of Toronto’s Munk School of Global Affairs, where researchers have looked into how power is exercised in digital realms, specializing in human rights and global security. The Citizen Lab report was conducted in collaboration with Lookout Security, and it builds on previous work the group did to chart the extent of a group it labeled Stealth Falcon—which targeted internal and external critics of the United Arab Emirates (UAE) government. While Citizen Lab had identified Stealth Falcon’s infrastructure, it hadn’t connected active malware with it.

On August 10, prominent UAE human-rights activist Ahmed Mansoor received dubious SMS messages with links to click for information ostensibly about abuses. Mansoor has been jailed, is banned from traveling outside the UAE, and is the victim of two previous so-called “lawful intercept” efforts. Lawful intercept refers to a government using the force of local law to obtain information from a network, although the methods used may not always fit within statutory or constitutional protections in the country in which they occur.

Rightly dubious, Masoor forwarded the messages to Citizen Lab, which then partnered with Lookout Security to test the malware, and identify three separate zero-day exploits—flaws that can be exploited in currently released software. Here’s how the chain of exploits work:

  • The URL sent by SMS opens a webpage, which loads JavaScript and then retrieves remote binary files (available for both 32-bit and 64-bit versions of iOS). An exploit in the WebKit rendering component of iOS allows these binaries to execute within Safari.
  • The executed binary uses an exploit that allows it to bypass a protection Apple uses within the operating system—Kernel Address Space Layout Randomization (or KASLR)—which should prevent malicious software from identifying where the core of the operating system is found running in memory.
  • With the knowledge of where in memory the kernel can be found, a third exploit triggers, which corrupts memory in the kernel to disable iOS from blocking software from running that hasn’t been signed by Apple. This effectively jailbreaks the phone.

Researchers found that after these exploits were triggered in sequence, the executed binary then downloads and runs the spyware payload, which is designed to be persistent across rebooting iOS. It disables Apple’s automatic updates and removes other jailbreaks.

The report says the jailbreak installs hooks all over iOS to intercept data, and specifically monitors for a number of apps, which include “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, Skype, Line, KakaoTalk, WeChat, Surespot,, Mail.Ru, Tango, VK, and Odnoklassniki.” The malware connects to remote command-and-control servers to exfiltrate captured data.

Marczak said that a characteristic of highly targeted attacks is that URLs stop working after a single click, the intent being to infect one party and then be unavailable for further investigation. Marczak said they followed the link on a standard-issue iPhone and captured the infection process, but when the malware started to communicate back to the operator’s server, he and his coworkers became nervous about the microphone being enabled and GPS coordinates being transmitted.

“Very quickly, we turned it off and put it in a metal box,” Marczak’s colleague, Nick Weaver, said. “We didn’t want them to hear us giggling with glee.”

Citizen Lab and Lookout Security connect the software with NSO Group, an Israel-based company that sells surveillance software to governments. The group is similar to FinFisher and Hacking Team, both of which firms’ software was previously used to target Mansoor. The report also includes evidence that ties the spyware installation attempt to the UAE government.

The report also ties an attempt a year ago in Mexico to target journalist Rafael Cabrera, who has reported on a conflict of interest involving the president of Mexico and the president’s wife. While the links connected to those attempts weren’t serving malware, Cabrera provided Citizen Lab with more recent phishing attempts, which the researchers connected with servers they believe are operated by the NSO Group—and which, if the links were followed, would have resulted in infections.

Marczak said that the software was designed to be used in stealth, monitoring data use and battery consumption to disable features that might show their hand. The software could also disable itself or remove itself entirely if an analysis environments was detected or remote operators wanted to pull the plug.