“The commercial spyware industry is going darker,” said Mr. Marczak, the Citizen Lab researcher.Mr. Marczak said he was first approached by the Saudi activist in March. But it was only last week that he was able to parse evidence from the activist’s phone and uncover digital crumbs similar to those on the iPhones of other Pegasus targets.
Mr. Marczak said he found that the Saudi activist, who declined to be identified, had received an image. That image, which was invisible to the user, exploited a vulnerability in the way that Apple processes images and allowed the Pegasus spyware to be quietly downloaded onto Apple devices. With the victim none the wiser, his or her most sensitive communications, data and passwords were siphoned off to servers at intelligence and law-enforcement agencies around the globe.
Citizen Lab said the scale and scope of the operation was unclear. Mr. Marczak said, based on the timing of his discovery of Pegasus on the Saudi activist’s iPhone and other iPhones in March, it was safe to say the spyware had been siphoning data from Apple devices for at least six months.
The zero-click exploit, which Citizen Lab dubbed “Forcedentry,” was among the most sophisticated exploits discovered by forensics researchers. In 2019, researchers uncovered that a similar NSO zero-click exploit had been deployed against 1,400 users of WhatsApp, the Facebook messaging service. Last year, Citizen Lab found a digital trail suggesting NSO may have a zero-click exploit to read Apple iMessages, but researchers never discovered the full exploit.
NSO was long suspected of having a zero-click capability. A 2015 hack of one of NSO’s chief competitors, Hacking Team, a Milan-based spyware outfit, revealed emails showing Hacking Team executives scrambling to match a remote, zero-click exploit that its customers claimed NSO had developed. That same year, a Times reporter obtained NSO marketing materials for prospective new clients that mentioned a remote, zero-click capability.
Proof of the capability never turned up.
“Today was the proof,” Mr. Marczak said.
Forcedentry was the first time that researchers successfully recovered a full, zero-click exploit on the phones of activists and dissidents. When such discoveries are revealed, governments and cybercriminals typically try to exploit vulnerable systems before users have a chance to patch them, making timely patching critical.
Mr. Scott-Railton urged Apple customers to run their software updates immediately.
“Do you own an Apple product? Update it today,” he said.
