image
News of a zero-click zero-day in Apple’s iMessage feature being incorporated into the notorious Pegasus mobile spyware from NSO Group has drawn a variety of reactions from the security community, including concerns about the security of Apple’s closed ecosystem, and varying views on NSO Group’s culpability for how Pegasus is used. Since its initial discovery by Lookout and Citizen Lab in 2016, Pegasus has continued to evolve, making it easier and easier to infect mobile devices, noted Aaron Cockerill, chief strategy officer at Lookout. In fact, this isn’t even the first zero-click zero-day used by the surveillance solution. “It has advanced to the point of executing on the target’s mobile device without requiring any interaction by the user, which means the operator only has to send the malware to the device,” he told Threatpost. “Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps.” That’s a problem, he said, especially given that as a closed ecosystem, Apple’s code is not publicly available for review and bug hunting (though Apple does have a private bug-bounty program). “This means vulnerabilities may remain undiscovered by attackers for longer, but they may also not be so readily discovered and reported by security researchers and other responsible parties,” Cockerill said. “On top of ensuring the security and integrity of its own…

Source