Earlier this month, an Emirati human rights activist named Ahmed Mansoor got a suspicious text. It promised new details of torture in the country’s state prisons, along with a link to follow if he was interested. If Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with malware, capable of logging encrypted messages, activating the microphone and secretly tracking its movements.
The attack is detailed in a new report from Citizen Lab and Lookout Security, which received the link directly from Mansoor. The malware targets three previously undisclosed vulnerabilities in iOS, allowing for arbitrary code execution, access to kernel memory, and access to kernel privileges. When combined, those vulnerabilities allow for a remote jailbreak of an iOS device, a long sought-after capability that has never been previously observed in an active campaign.
On discovering the vulnerabilities, Citizen Lab and Lookout reported them to Apple, and fixes for the vulnerabilities have been patched with today’s release of iOS 9.3.5.
Citizen Lab linked the attack to a private Israeli spyware company known as NSO group, although it’s unclear how the exploits were first discovered. Earlier this year, the exploit broker Zerodium offered and awarded a million-dollar bounty for remote jailbreaking capability in iOS 9, which Citizen Lab notes is similar to the exploit used against Mansoor.
Apple recently launched its own bug bounty to encourage disclosure of such vulnerabilities. The highest bounty, up to $200,000, was offered for vulnerabilities that compromise the secure boot firmware.
The attack is likely to reignite the debate over private sector malware companies, which have drawn harsh criticism for selling intrusion software to oppressive regimes in Uganda, Ethiopia, and Bahrain.