Google: This zero-click iPhone attack was incredible and terrifying

Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link. 

Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices

Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.

SEE: This mysterious malware could threaten millions of routers and IoT devices

GPZ’s Ian Beer and Samuel Groß described the NSO’s exploit as both “incredible” and “terrifying”. The exploit creates a “weird” emulated computer environment within a component of iOS that handles GIFs but doesn’t normally support scripting capabilities. This exploit, however, allows an attacker to run JavaScript-like code in that component in order write to arbitrary memory locations – and remotely

Read More: