Cybersecurity firm Kaspersky Lab has discovered an iOS malware variant spreading via an iPhone zero-click exploit in iMessage.
Kaspersky researchers discovered the malware while monitoring their company’s network via the Kaspersky Unified Monitoring and Analysis Platform (KUMA) after detecting suspicious iPhone traffic.
They created backups of the infected iPhones and analyzed them using the Mobile Verification Toolkit due to the limitations of the closed iOS operating system.
Upon inspection, the Moscow, Russia-based tech company “discovered traces of compromise,” which it used to reconstruct the infection process.
However, Kaspersky believes it was not the primary target of the malware campaign dubbed Operation Triangulation. Russian authorities have accused Apple of colluding with the NSA in the alleged cyber espionage campaign.
iPhone’s zero-click exploit requires no user interaction
The zero-click code execution vulnerability triggers without user interaction when the victim receives a message with a malicious attachment via Apple’s popular messaging platform iMessage.
The message triggers unspecified iOS vulnerabilities to download additional payloads from the attacker’s C2 server, which is a fully-featured APT platform.
The payloads have additional capabilities for privilege escalation and also delete the original message and the attachment to conceal malicious activity. However, the malware leaves signs of infection, like file modifications and outdated libraries.
Once installed, it runs stealthily on the compromised device, collecting user information and executing commands from the attacker’s C2 server without user permission. When it runs with root privileges, the iOS malware executes commands for collecting system and user information.
“The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device,” Kaspersky CEO, Eugene Kaspersky, said.
The anti-malware company also noted that the malicious toolset does not support persistence, most likely due to the limitations of the iOS operating system. However, devices might still be reinfected after rebooting.
The security firm suspects the zero-click exploit leverages an out-of-bound write vulnerability CVE-2022-46690 fixed in iOS 16.2.
At the moment, the antivirus provider could not determine if the zero-click exploit leverages any zero-day vulnerabilities.
Zero-click exploitation in the wild with Russia accusing NSA of cyber espionage
Although some infections date back to 2019, the iOS malware campaign was ongoing, targeting devices running iOS versions 15.7 and below, with Kaspersky detecting attacks as recently as May 2023.
Although Kaspersky employees were victims of the zero-click exploit for at least four years, the company’s CEO believes they were not the primary target of the zero-click exploit.
“We’re confident that Kaspersky was not the main target of this cyberattack,” he said. “The coming days will bring more clarity and further details on the worldwide proliferation of this spyware.”
In a separate alert coinciding with Kaspersky’s report, Russia’s National Coordination Centre for Computer Incidents accused the NSA of targeting the country’s diplomatic missions in China, Israel, NATO countries, and former Soviet states with the iOS malware.
Russia’s federal security service (FSB) also accused Apple of deliberately providing the US National Security Agency (NSA) with backdoors, a claim the company has denied.
Both Kaspersky and Russian authorities have not provided any evidence of the NSA’s involvement in Operation Triangulation, and the US security agency is yet to respond to those allegations.
However, Joe Saunders, CEO of RunSafe Security, has a different perspective on the zero-click exploit.
“Even the best developers inadvertently leave open the potential for critical vulnerabilities to be exploited,” he said. “Scanning & patching as we chase the vulns is inevitable – but this is why we need to invest in secure by design, secure by default, and memory safety across software.”
Operation Triangulation is hardly the first time hackers have breached Kaspersky in an alleged state-sponsored cyber espionage operation.
In 2015, hackers breached Kaspersky’s corporate network with Duqu 2.0, a variant of the Stuxnet malware allegedly deployed by the NSA and Israel’s Unit 8200 against Iran’s nuclear program.
Mitigating zero-click iOS malware
The Russian cybersecurity firm has released a free detection utility.
Investigation into the zero-click exploit is still in progress, but Kaspersky has found no evidence that newer iOS devices were affected.
Meanwhile, the Russian cybersecurity company has not published the iOS malware’s technical details but has listed 15 domains associated with Operation Triangulation.