“Hackers have been breaking into iPhones allegedly using a powerful spy tool sold to governments and taking advantage of a previously unknown vulnerability in the popular messaging app WhatsApp,” Lorenzo Franceschi-Bicchierai writes for Motherboard. “The hacking tool, as well as the WhatsApp exploit, were made by the infamous Israeli hacking and surveillance tool vendor NSO Group, according to The Financial Times, which first reported the story on Monday. WhatsApp found out about the flaw — and eventually patched it — after a victim got in touch with the digital security research group Citizen Lab, which in turn warned the Facebook-owned company.”

“Some iOS security experts say this is yet another incident that shows iOS is so locked down it’s hard—if not impossible—to figure out if your own iPhone has been hacked,” Franceschi-Bicchierai writes. “As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks. Moreover, iOS is so locked down that without hacking or jailbreaking it first, even a talented security researcher can do very little analysis on it.”

“For the vast majority of people the iPhone is still a very secure device. But all software, be it a secure messaging app like WhatsApp, or an operating system like iOS, have vulnerabilities,” Franceschi-Bicchierai writes. “And when those vulnerabilities are exploited on an iPhone, there’s often no way of knowing.”

Read more in the full article here.

MacDailyNews Note: According to The Register‘s Iain Thomson:

It’s believed NSO Group built the exploits and surveillanceware used against WhatsApp users this month. The Israeli outfit, valued at $1bn, sells a highly capable spyware package, dubbed Pegasus, to governments around the world, ostensibly only allowing the suite to be used to snoop on and snare criminals and terrorists. Victims usually get a text message that tries to trick them into following a link that fetches and installs the software nasty. Now it seems NSO found a way to avoid any user interaction to achieve an automatic, silent infection.

Pegasus, once installed on a victim’s device, can record phone calls, open messages, activate the phone’s camera and microphone for further surveillance, and relay back location data. While NSO claims it carefully vets its customers, the malware has been found on the phones of journalists, human rights campaigners, lawyers, and others.

Read more in the full article here.