Jailbreak vulnerabilities allowed attackers to tap encrypted chat messages.
Apple has patched three high-severity iOS vulnerabilities that are being actively exploited to infect iPhones so attackers can steal confidential messages from a large number of apps, including Gmail, Facebook, and WhatsApp, security researchers said Thursday.

The spyware has been dubbed Pegasus by researchers from mobile security provider Lookout; they believe it has been circulating in the wild for a significant amount of time. Working with researchers from University of Toronto-based Citizen Lab, they have determined that the spyware targeted a political dissident located in the United Arab Emirates and was launched by an US-owned company specializing in computer-based exploits. Based on the price of the attack kit—about $8 million for 300 licenses—the researchers believe it's being actively used against other iPhone users throughout the world.

"Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile—always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists," Lookout and Citizen Lab researchers wrote in a blog post. "It is modular to allow for customization and uses strong encryption to evade detection."

After the exploits surreptitiously jailbreak a target's iPhone, Pegasus immediately starts trawling through a wealth of its resources. It copies call histories, text messages, calendar entries, and contacts. It's capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps.

As Ars has reported, Apple has already issued updates that patch the three vulnerabilities that make the infections possible. While such attacks are likely to target only the most high-value targets—say, Fortune 500 executives and high-profile dissidents—all iOS users should install the fixes as soon as possible.

The researchers have dubbed the exploit Trident because it relies on three separate vulnerabilities, indexed as CVE-2016-4654, CVE-2016-4655, and CVE-2016-4656. The exploit targeting UAE dissident Ahmed Mansoor arrived in a text message two weeks ago that promised secret information about detainees tortured in UAE jails. Mansoor forwarded the messages to Citizen Lab researchers who determined that the linked webpages led to a chain of exploits that would have jailbroken his iPhone and installed the Pegasus spyware.

"In this case, the software is highly configurable," Thursday's blog post continued. "Depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete."

Analysis of the underlying code indicates that it dates back 2013, when iOS version 7 was still in use. In addition to targeting Mansoor, the researchers believe that other high-value people are also being targeted for purposes of corporate espionage. The spyware was developed by NSO Group, an Israeli-based division of US-headquartered company Francisco Partners Management. According to an article published last November by Reuters, Francisco Partners paid $120 million in 2014 to acquire a majority stake in NSO and was exploring a sale that could value the division at $1 billion. NSO Group is so secretive that it has regularly changed its name, Reuters also reported. It had earnings of about $75 million.

The sophisticated attack chaining together three separate iOS vulnerabilities is a testament to both the security of Apple's mobile operating system and the skill of outside attackers at bypassing those considerable protections. Last year, a software broker calling itself Zerodium offered $1 million for iOS exploits that gave attackers complete control of underlying iPhones. The company pledged to pay a total of $3 million. Apple, meanwhile, pays a maximum of $200,000 for comparable exploits. The prices mean that attacks are likely to target only the highest value people as opposed to more opportunistic mass campaigns.

The Trident/Pegasus attacks mark the third time Mansoor has been targeted by so-called "legal intercept" malware. Citizen Lab has uncovered evidence that he was targeted by exploit software known as FinFisher in 2011 and by similar spyware from Italy-based Hacking Team in 2012. Citizen Lab has also found evidence that NSO Group's exploit infrastructure was used against a Mexican journalist after reporting on corruption by the country's head of state. NSO Group has used fake domains that impersonate the Red Cross, the UK government's visa application processing website, news organizations, and major technology companies.

Lookout and Citizen Lab have published additional reports here, here and here that among other things detail the exploits and a list of behavioral anomalies more advanced iPhone users can use to identify infected devices.