The Israeli company whose spyware hacked WhatsApp has told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch.
NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.
The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.
This grants open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on target device”, according to one sales document… It works on any device that Pegasus can infect, including many of the latest iPhones and Android smartphones, according to the documents, and allows ongoing access to data uploaded to the cloud from laptops, tablets and phones — even if Pegasus is removed from the initially targeted smartphone.
MacDailyNews Take: Ay yi yi. Obviously, this is something Apple, above all others, should, if true, work to close this avenue of vulnerability ASAP!
Apple’s statement to FT: Apple said its operating system was “the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.” The company added that it regularly updates its operating system and security settings.
One of NSO Group’s pitch documents offered a method to thwart this eavesdropping exploit: changing an app’s password and revoking its login permission which cancels the viability of the replicated authentication token until Pegasus is redeployed.