The report says the jailbreak installs hooks all over iOS to intercept data, and specifically monitors for a number of apps, which include “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, Skype, Line, KakaoTalk, WeChat, Surespot, Imo.im, Mail.Ru, Tango, VK, and Odnoklassniki.” The malware connects to remote command-and-control servers to exfiltrate captured data.
Marczak said that a characteristic of highly targeted attacks is that URLs stop working after a single click, the intent being to infect one party and then be unavailable for further investigation. Marczak said they followed the link on a standard-issue iPhone and captured the infection process, but when the malware started to communicate back to the operator’s server, he and his coworkers became nervous about the microphone being enabled and GPS coordinates being transmitted.
“Very quickly, we turned it off and put it in a metal box,” Marczak’s colleague, Nick Weaver, said. “We didn’t want them to hear us giggling with glee.”
Citizen Lab and Lookout Security connect the software with NSO Group, an Israel-based company that sells surveillance software to governments. The group is similar to FinFisher and Hacking Team, both of which firms’ software was previously used to target Mansoor. The report also includes evidence that ties the spyware installation attempt to the UAE government.
The report also ties an attempt a year ago in Mexico to target journalist Rafael Cabrera, who has reported on a conflict of interest involving the president of Mexico and the president’s wife. While the links connected to those attempts weren’t serving malware, Cabrera provided Citizen Lab with more recent phishing attempts, which the researchers connected with servers they believe are operated by the NSO Group—and which, if the links were followed, would have resulted in infections.
Marczak said that the software was designed to be used in stealth, monitoring data use and battery consumption to disable features that might show their hand. The software could also disable itself or remove itself entirely if an analysis environments was detected or remote operators wanted to pull the plug.
Update your device now
To install the update on your iOS device, launch the Settings app, then tap General > Software Update. You also can update within iTunes with your device connected to your Mac.
Editor's note: This story was originally published on August 25, 2016, at 11:00 a.m. Pacific. It was updated at 2:45 p.m. Pacific later that day with more details.
Sign up for CIO Asia eNewsletters.