Citizen Lab digital security researchers have detected a new zero-click iMessage vulnerability, which is used to install Pegasus spyware on the iPhone devices of Catalan politicians, journalists, and activists. Pegasus is developed by the Israeli firm NSO and marketed to governments as licensed software for investigating terrorist activities. With Pegasus spyware, attacks were carried out on high-level authorities of many states such as the United Kingdom and Finland. Between 2017 and 2020, it was observed that Pegasus targeted at least 65 people by exploiting the Kismet iMessage vulnerability and a vulnerability in Whatsapp. Many people are among the recently observed campaign targets, such as Catalan members of the European Parliament, heads of state, judges, lawyers, and journalists.
The zero-click vulnerability, called HOMAGE, affected some versions before iOS 13.2 and was fixed in iOS 13.2. In the statement made by Apple officials, it was stated that users using the current version of iOS are not affected by the HOMAGE exploit. Spyware installed on target systems without any user interaction (zero-click) comes with many features such as reading messages on devices, listening to calls, capturing user passwords, location tracking, and accessing the device’s microphone and camera.
The campaign in question has not yet been attributed to any state or threat actor, but the findings indicate that the campaign was carried out by threat actors affiliated with the Spanish government. In this context, in order not to be the target of attacks that can be carried out using the said vulnerability and malicious software, it is recommended to keep the device/system or programs used in the latest version, download applications from official sources, and use a comprehensive anti-malware solution.