Trident iOS flaws: Researchers detail how the spyware stayed hidden

The Lookout researchers who discovered the Trident vulnerability discuss how it was able to remain undetected.
Written by Danny Palmer, Senior Writer

The three-pronged Trident attack allowed oppressive regimes to spy on activist.

Image: iStock

Researchers have given more detail of the sophisticated spyware discovered in August which exploited three separate vulnerabilities in order to spy on iPhone users.

The discovery of the flaws led to Apple quickly releasing a security update for iPhones and iPads, after the security researchers had discovered that vulnerabilities in the iOS operating system were being used by a nation state to spy on activists in the Middle East.

The spying tools were discovered by security firm Lookout, which worked in conjunction with the University of Toronto's Citizen Lab to get to the bottom of who was behind the espionage software.

Dubbed Trident, the three iOS vulnerabilities allowed an attacker to remotely jailbreak a target's iPhone and install the Pegasus mobile spyware. This spyware was capable of completely compromising a target's phone, allowing those conducting the espionage to monitor and track every action on the device.

In this case, the espionage tools were being used by actors -- likely to be associated with the United Arab Emirates government -- to attempt to spy on Ahmed Mansoor, a renowned human rights defender.

At Black Hat Europe, Lookout researchers presented new information on the flaws and how Pegasus was so effectively able to remain undetected.

After infiltrating the target iPhone with a specially tailored phishing link sent by text message, Pegasus would get to work on ensuring that it could monitor and steal whatever data it wanted, while remaining completely undetected by the user or the device.

It starts by preventing the infected iPhone from being able to download any updates, essentially preventing an infected user from inadvertently ridding their device of the Pegasus spyware by updating its security.

"There's code in there which will actually turn off the ability of the iOS system to actually go ahead and update, so when an update comes down it'll actually prevent that from happening, so it can contain the person using the device," says Andrew Blaich, manager of vulnerability research at Lookout.

Pegasus will also clear the mobile Safari browsers' cache so the user can't stumble across the fact it has been tracking their internet records. Then, when the attackers have gathered all the information they believe they require on a target, Pegasus will delete itself.

"Within the payload there's the ability to erase itself from the device remotely, so when they want to terminate spying on a device, they can remotely destruct it without access to the phone itself," says Blaich, who notes that Pegasus will also remove itself from devices it isn't able to infect, to ensure that it can't be traced.

"If you were to infect a device with Pegasus using Trident, and if the device can't check back with the servers within 24 hours, it'll actually remove itself from the device," he adds.

This ability to remain undetected gives attackers the ability to monitor their target via their text messages, calls, or by using the phone's microphone and camera or even location.

"It collects information about the SIM card, which helps with the identifying and tracking, as well as your actual physical location with GPS on," says Blaiche.

Pegasus can even use the iPhone to gain access to wireless internet connections in an effort to further track the user and find out the locations they visit and what they do. Even if the target uses encrypted communications, they're not safe because Pegasus has the ability to intercept that too.

"If you were using end-to-end encryption software that has to be decoded so you can view it on your phone, the malware will hook that and it can see it."

While the security update Apple released in response to Lookout revealing the vulnerabilities should keep users safe for now, the discovery led to Microsoft arguing that businesses should rethink their unwavering trust in iOS as a controlled ecosystem.

Read more on cyberespionage

Editorial standards