The discovery of a previously unknown method for deploying the Pegasus mobile spyware tool on mobile devices worldwide has sparked concerns about the increasing capabilities of surveillance software. A researcher at Swedish telecom and cybersecurity firm Enea found that Israel’s NSO Group, the developer of Pegasus, has made this new tactic available for use in cyber campaigns.
The technique was discovered in an entry titled “MMS Fingerprint” in a contract between an NSO Group reseller and Ghana’s telecom regulator, which was part of publicly available court documents associated with a 2019 lawsuit involving WhatsApp and the NSO Group. The lawsuit was related to the NSO Group’s exploitation of a WhatsApp flaw to deploy Pegasus on devices belonging to journalists, human rights activists, lawyers, and others globally.
According to the contract, the MMS Fingerprint technique allows an NSO customer to obtain details about a target BlackBerry, Android, or iOS device and its operating system version simply by sending a Multimedia Messaging Service (MMS) message to it. The contract noted that “No user interaction, engagement, or message opening is required to receive the device fingerprint.”
Enea researcher Cathal McDaid became interested in the MMS Fingerprint technique because it was not a known term in the industry. In a blog post, McDaid explained that while surveillance companies often over-promise their capabilities, the fact that this technique was mentioned in a contract made it more likely to be real.
McDaid’s investigation led him to conclude that the technique likely involved the MMS flow itself rather than any specific OS vulnerabilities. He found that the method revolves around the HTTP GET request that is sent when a recipient device retrieves an MMS message.
By analyzing the flow of the MMS, McDaid determined that user device information is included in the subsequent retrieval request. This information could potentially be used by NSO Group actors to exploit specific vulnerabilities in mobile operating systems or to tailor Pegasus and other malicious payloads for target devices.
The investigative efforts of McDaid over the past several months have not uncovered any evidence of the technique being exploited in the wild thus far. Despite the lack of evidence of exploitation, the realization that such surveillance tactics are available for use in cyber campaigns to deploy spyware on mobile devices globally has raised concerns among security experts. The increasing sophistication of such techniques has raised questions about the means and capabilities of surveillance software to target unsuspecting individuals. With the constant evolution and dissemination of cyber surveillance methods, it is essential for security researchers and organizations to remain vigilant in addressing potential threats and vulnerabilities in mobile devices and networks.