Notorious Israeli commercial spyware company NSO Group was reportedly offering a way to exfiltrate sensitive mobile phone data unlike anything ever seen before, experts have revealed.
A new report from telecom security specialists Enea discovered the method while recently sifting through the documents filed during the court case between WhatsApp and NSO Group.
According to ENEA, in late 2019, WhatsApp committed into evidence a copy of a contract between an NSO Group reseller, and the telecom regulator of Ghana. In the contract, one of the features and capabilities NSO Group offered was called “MMS Fingerprint”.
Blocking malicious MMS messages
This feature, as it later turned out, was exploiting a vulnerability in both Android and iOS (but also in BlackBerry devices, apparently) to exfiltrate some sensitive data from the device.
After a bit of digging, ENEA managed to recreate the flaw, and then explained how it worked. Allegedly, the attacker could create a unique, malicious MMS message, which the victim didn’t even need to open (or otherwise interact with). That message would trigger the device to return two unique pieces of information: the MMS UserAgent, and the x-wap-profile.
The former is a string that usually identifies the operating system and the device of the victim, while the latter points to a UAProf (User Agent Profile), that describes the capabilities of the target device.
This information, ENEA argues, could be used to profile the victim and prepare for more concrete attacks: “Both of these can be very useful for malicious actors. Attackers could use this information to exploit specific vulnerabilities or tailor malicious payloads (such as the Pegasus exploit) to the recipient device type. Or it could be used to help craft phishing campaigns against the human using the device more effectively,” the researchers explained in the report.
While being able to steal data without victim interaction sounds ominous, the victims aren’t utterly helpless, ENEA adds. Mobile subscribers could disable MMS auto-retrieval on their handset, which would prevent the malicious messages from reaching their devices. Also, most mobile operators today filter these kinds of messages from being sent in the first place.