NSO Group's feared "zero-click" iOS vulnerability was new in XNUMX when it attacked to gain access to an iOS-powered endpoint without user input.
But now it looks like NSO wasn't the only company to pull off what Google scholars described as an "incredible and terrifying" hack, as Reuters says that around the same time, another Israel-based (but less famous) company, QuaDream , achieved exactly the same goal.
Scholars who examined the methodology of the 2 companies stated that they were very similar, down to the fact that once Apple patched the NSO vulnerability, it also made the QuaDream vulnerability useless.
No Click iOS Exploits
The NSO Set (an Israeli technology company most famous for its proprietary spyware) has developed an attack mechanism "against which there is no defense", since no mobile antivirus would be able to detect it.
Also known as a "zero click" exploit, it's just that: the victim doesn't even have to click anything to be compromised, in order to have their data or identity stolen. Essentially, all she has to do is receive an SMS message through Apple's iMessage service.
The attack methodology itself is quite complex, and also involves "fake" gifs, CoreGraphics PDF parsers, the JBIG2 codec, and a completely "new" computing architecture that "isn't as fast as Javascript, but is essentially computationally equivalent."
The vulnerability is registered as CVE-XNUMX-XNUMX and was patched on September XNUMX, XNUMX in iOS XNUMX. Supposedly, there is also an Android version, but scholars have yet to come up with a sample.
Once the cat was out of the bag, the US government blacklisted NSO, claiming it was developing tools used against civilians, which NSO not only denied, but also claimed it was working to "support the national security interests and policies of the United States by preventing terrorism." and crime."
AWS likewise banned NSO, Apple sued, which was then supported by virtually every notable tech company in the US.
NSO says the work was not a team effort and QuaDream could not be reached for comment.