News  Apple
iPhone Pegasus

Clicking just one link is all it takes

Apple has released a patch to bring iPhone and iPad users up to iOS 9.3.5 specifically to kill malware known as "Pegasus".

The worrying issue regarding this malware isn't just the fact Apple devices were supposed to be immune to this sort of attack. It's the fact the user can't even easily detect if they are infected or not. Even worse, it's extremely low-level hiding capabilities meant no amount of encryption can protect them.

The spyware hides at system level and can access data before it is passed to other apps such as WhatsApp, which encrypts the data after Pegasus has seen it in the clear. 

The software was allegedly created by Israeli firm NSO to target a Middle Eastern human rights activist. It's developers also discovered three new security flaws unknown to Apple.

The message no iPhone user wants to see

The Lookout security app, available from the Apple App Store, can detect the Pegasus infection. When it does so, users see this message:

pegasus iphone compromised 340x230

Pegasus is a class of malware known as spyware, and has been described as 

...the most powerful smartphone spyware ever detected. Once you get this software on your phone, it's not your phone anymore.

It started with a text

On August 10th, 2016, Ahmed Mansoor was sent a text which contained a link promising details of human rights abuses in the prisons of the United Arab Emirates. Since he is a human rights activist, whoever sent it was trying hard to make him follow it up, but he was suspicious from the start. Instead, he took his phone to a team of CitizenLab researchers who quickly confirmed a frightening new strain of malware was at play. Clicking the link on a test phone, they saw the browser start up and quickly dismiss itself. From then on, the phone appeared normal, but in fact it was anything but - it had been infected with Pegasus. What it had done is to take advantage of a memory corruption flaw in Safari, which is why it shut down so quickly. The link was a URL to specially-crafted code which could run in a specific way - i.e. to deliver and install its malware payload.


All tests, emails, calendar entries etc...

Absolutely everything on the phone of interest is then silently gathered up and sent to the attacker. Even the local WiFi passwords, the users position via GPS, the audio from phone calls. Not only that, but the app took special care to be efficient with the battery too, because when it starts to drain faster than usual for no apparent reason, its cause could be a malware infection.

No wonder this is being called "the worst yet".

Protects itself very well

The best kind of protection malware can employ to stop a user killing it is to hide itself so well the user doesn't know it is even there. Pegasus does a remarkably good job of this.

Apple released the patch as soon as news of Pegasus broke, and this patch also fixes the three new vulnerabilities mentioned earlier.

Here's Apple Insiders take on Pegasus.