Watch out against "Pegasus": A spyware in your mobile device

Sophisticated, persistent mobile attack against high-value targets on iOS
By Lookout and Citizen Lab
August 25, 2016

Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.

Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

All individuals should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Settings > General > About > Version. Lookout will send an alert to a customer’s phone any time a new update is available. Lookout’s products also detect and alert customers to this threat.

Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.

We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.

The overview

Ahmed Mansoor is an internationally recognized human rights defender and a Martin Ennals Award Laureate (sometimes referred to as a “Nobel prize for human rights”), based in the United Arab Emirates (UAE). On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.

This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.

Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya.

The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.

The Pegasus spyware

Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection. Lookout’s analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:

1. CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.

2. CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.

3. CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.

In this case, the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.

We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.   

To learn more

Our reports provide in-depth information about the threat actor as well as their software and the vulnerabilities exploited — Citizen Lab has tracked the actor’s political exploits around the world, while Lookout has focused on the technical details of the malware from the beginning of the exploit chain to its use. Our reports include detailed analysis of the Trident iOS vulnerabilities that are patched in the 9.3.5 release from Apple, as well as the various components of the espionage software.  

Lookout customers: Read this document on how to tell if you’re impacted by this attack.

Think you’ve encountered a suspicious link such as the ones described above? Email support@lookout.com.

Research teams:

Citizen Lab: Bill Marczak and John Scott-Railton, Senior Fellows 

Lookout: Max Bazaily, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, Staff Security Researchers, Mike Murray, VP of Security Research

Read more: Sophisticated, persistent mobile attack against high-value targets on iOS (https://blog.lookout.com/blog/2016/08/25/trident-pegasus/)


U.N., how are you? Where are you?

Watch this old video and try to observe the pattern of killings, the denial tactic, the use of hired vigilantes, the no investigations conducted, the public threats and naming mechanism, the fear it created on the citizens to speak out, the systematic cover-ups and suppression of investigations, etc. Aren't all of these things also are the exact same things that are happening today in this so-called war on drugs under the reign of this new leader?

But what are the people complaining about when in the first place they have voted for a bloody leader into office who promised them death by the thousands in the first few months of his reign? Now that members of their families are killed one by one, are their deep regrets too late for their remaining targeted loved ones?

U.N. how are you? Now that you have tasted the intimidation tactic of DU30, has your balls shrunk yet or has your tail curled between your legs already?


You were forewarned that you will be dealing with a leader who knows how to use his political stupidity to his personal foolish advantage. Look at the praises he is now fast gaining online as he lambasted you when you tried to dip your toe into the Philippine's EJK problem. In the hundreds of comments online from various global netizens, DU30 is protrayed as an emerging hero while you are portrayed as a tool and puppet of the founding superpower USA.

So what is it going to be now? Are you still interested in investigating the extrajudicial killings in the Philippines, or would you just sit down and lick your hurt balls while you watch the country gradually turning into yet another of the recent-decade killing fields?

But in all seriousness, if in case your balls recover, and your concern for the Philippines happens to still remain intact and genuine, just please don't wait too long before you act. Otherwise it might be too late. Lives.... lives of the innocent ones who are mistakenly marked and targeted, and lives of those victims of drugs who truly and honestly desire to live a new life are at stake.

Please help us if you are true to your mission... to protect and care for the rights of humanity  -- not just for the innocent, but also for the rights of those who have gone astray.

This new leader of our country only believes in the rights of the innocent. In his eyes, the criminals, particularly the drug-related criminals have lost all their rights under his own law. To him, a poor country like the Philippines cannot afford and has no capacity to incarcerate these criminals from the public and take care of them when they number by the hundreds of thousands or even a few millions. That is why, to this bloody leader's calculation, it is practical and merciful to send these criminals off to the next world (in the quickest way he prefer and love doing himself) ahead of their respective appointed times than to make them languish in inhumane jail conditions and still die of a painful and agonizing long-suffering death in incarceration. Thus justifying the need for "legal" NDS (National Death Squad) units in the National Police with special direct orders to shoot and kill the targeted criminals and in effect practically bypass the law's resource-wasting and rigorous due process. To him this policy that he is now implementing nationwide is practical, Davao-tested, and effective.

U.N., do you agree with the policy of our bloody leader? If not, then pack your balls and show your true strong concern and action. Perhaps your concern and action could warm the balls of our Supreme Court and our Senate. The lower house has been castrated already by DU30. So far the one that has balls in the Senate is a lawmaker who ironically is a lady senator. DU30 is finding it hard to castrate her because he has yet to find her balls. So instead, DU30 is now trying to squeeze the balls of the lady senator's former driver and lover to intimidate her since she is now trying to initiate a Senate investigation into the extrajudicial killings in our country. The lady senator was a former chairperson of the country's Commission on Human Rights and she was responsible for DU30's old anger towards her because she tried to investigate Davao's extrajudicial killings before.

U.N., when in case you come to help us, again I am reminding you that DU30 is a master of threats and intimidation. I hope you have your counter measures ready and you have your plans. We are waiting to thank you.


Shameless and shameful instance of a charcoal calling a pot black

Is this a manifestation of a psychological disorder? Or has somebody simply failed to consider the "blackness" of his own life that he has the twisted guts to disgrace the honor of the office he has been put into?

Could there be somebody courageous and tactful enough to take down the "mirror-mirror-on-the-wall" inside Malacañang? Would somebody be kind enough to place a true and honest "mirror" in the presidential palace, please?

The president has the whole country to run now and not anymore Davao city. His leadership qualities obviously need to level up, so let us not just let the president marvel at the rose-colored image of himself he sees on Malacañang's sycophantic "mirror-mirror-on-the-wall" system, but also let him see himself
 too through a clear, real, and honest "mirror" system so he can be helped in his desire to "metamorphose" and get his flaws corrected or at least appropriately managed. No leader is perfect, and certainly neither is PRRD. The president's blunders could spell our country's setback, if not trouble.

Critics and oppositors, be careful! I suppose you should have known already by now that this president also has a psychological disorder just like what anyone of us might have -- only that his psychological disorder is at a level which is a bit worse than most of our's. Play with his ego, and you are like a circus man placing your head into the gaping mouth of a supposed-to-be tamed and trained circus alligator.

Contrary to what many of us would like to believe, this grub has not [yet] metamorphosed into a butterfly. Thus be aware so as to be guided, but not beware as to be intimidated. As responsible and concerned citizens of our country, we have the obligation to help our public officials succeed despite and in spite of their flaws and weaknesses. Honest and responsible constructive criticism never fails to help build a nation. That is just among the least of things we can do to help our country move forward in the right direction.

But other than his psychological disorder, this president is quite okay despite his occasional political stupidity and his own brand of stubbornness.

Ito lang ba ang kaya nilang magawang solusyon sa problema?

Papatayin Kita
Words and music by Lolito Go

Papatayin kita / kahit na sino ka
Basta ba tulak ka / papatayin kita
Kahit sumuko ka / anong alam nila
Ika'y markado na / papatayin kita

Pag kinatok kita / wag nang magkaila
Kung di ka kakanta / papatayin kita
Kung trip mong manlaban / tiyak mapapaslang
Kahit nadamay lang / wala akong pakialam

Marami pa akong / stock ng karatula
Gusto mo bang isa? / papatayin kita
O ang saya 'diba / parang pelikula
Ako ang bida at / papatayin kita

Pag kinatok kita / wag nang magkaila
Kung di ka kakanta / papatayin kita
Dahas na kung dahas / walang batas batas
Tanginang human rights / sa war on drugs the price is life

Kaya't magbago na
Magzumba-zumba ka
Magsimba-simba ka
Kung gusto mong mabuhay pa

Sixteen point six million people ordained a bloody president into office. He promised them death by the thousands in the first months of his presidency, and now he is trying to fulfill it. Unless there are people who will succeed in making his heart stop (read: stop the intention of his heart), in the kind of war that this president is waging, what could the rest of the majority of the citizenry expect from the leader whom they didn't vote for into office?

If the president firmly believes that killing "undesirable" people in society is the best solution to the drug problem, criminality and corruption in our country, then nothing else would prove him wrong than letting him do what he believed in his heart is the "right" thing he is doing. Time never fails to prove anybody wrong. When history lays down its verdict in the future, his children and his children's children shall themselves be the first to prove him wrong if indeed things would turn out contrary to his expectation. Or, history would prove the critics and the oppositors dead wrong.

(But what has history proven for leaders of other countries who had done the same thing as our president is doing now -- long before there was even the conceptualization of the so-called DDS?)


Go beyond borders because the beasts know no border!

Note: Watch the full movie to have a complete grasp of its message.

The war on drugs is another form of war on terror and it must know no border. While it is necessary to fight it from within our borders, but most importantly it must be fought inside the borders of the lands where the real beasts dwell. Otherwise, if this war would remain waged only within our borders and by our law enforcement alone and against our very own people only, it would just be a matter of time (when the iron fist's strength shall be no more) before we realize that our earnest effort of eradicating the drug problem in our country is/was just like that of a mad dog chasing after its own tail.

If what we only are committed and capable of doing is simply to spill the blood of our own people on our very own grounds while the real wolves and vultures continue to drink our blood and feast on our carcasses, then we are just like sacrificing our own flesh and blood to the lord of the beasts on the altar of the war on drugs. In the process, we become instruments of the lord of the beasts -- all the while wrongly believing we are rendering service to God.