NSO iPhone malware builds a computer inside your phone to steal data

An incredibly sophisticated piece of malware developed by the Israeli tech firm NSO Group works by creating an entirely separate computer inside the memory of an iPhone, allowing attackers to snoop and steal data

By Matthew Sparkes

NSO Group, an Israeli tech firm, developed malware to hack iPhones by creating a “computer within a computer” capable of stealing sensitive data and sitting undetected for months or even years, researchers at Google have revealed.

The malware is part of NSO Group’s Pegasus software tool, which it is thought to have sold to countries including Azerbaijan, Bahrain, Saudi Arabia, India and the United Arab Emirates. US law-makers have called for sanctions against the firm.

Pegasus allows a user to read data from smartphones and spy via their microphones and cameras. The latest feature of the tool to emerge publicly, which has been called ForcedEntry, is also one of the most powerful and concerning to date, according to security experts.

The technical details were unravelled by members of the Project Zero security team at Google with the help of Citizen Lab at the University of Toronto in Canada, which investigates computer security and its impact on human rights. The attack is a “zero click” vulnerability, which means that the target doesn’t need to be tricked into clicking a link, putting even careful and technically savvy users at risk.

A specially crafted iMessage is sent to the target’s iPhone containing a fake GIF animation. Due to the way Apple’s software handled these images, it was possible for NSO Group to create a malicious file posing as an image and exploit an old piece of software for encoding and decoding images. This software was originally designed to compress text-heavy PDFs to save memory space. It is only meant to have access to specific parts of the memory in a smartphone, and to perform logical operations to compress the images.

But NSO Group discovered a way to break out of that allocated piece of memory and use those logical operations – some 70,000 of them – to build a rudimentary virtual computer, entirely separate to the operating system of the iPhone. It could then use that virtual computer to search for specific pieces of data, manipulate it or transmit it back to whoever sanctioned the attack.

Alan Woodward at the University of Surrey, UK, says the trick is extremely sophisticated and shows how strong and lucrative NSO Group’s market must be. “It’s almost like a phone within a phone, or an operating system within an operating system,” he says. “That’s quite clever because it means it’s slightly more difficult to detect. You’re not looking for an individual process or a signature. You can hide it.”

The researchers revealed the vulnerability to Apple and it was fixed in September in the iOS 14.8 update. But Woodward warns that such an insidious attack, if carried out prior to that update, could theoretically persist and continue to spy on the user. Some users also fail to keep their phones updated with the latest operating system, which could leave them vulnerable.

Apple didn’t respond to a request for comment, but the company announced in November that it was launching a lawsuit against NSO Group to stop the company hacking into its products. Facebook, Microsoft, Google and LinkedIn had already launched legal action. NSO Group didn’t respond to a request for comment.