IOS “zero-click” vulnerability that was feared from the NSO Group made headlines in 2021 when the attacker to get access to iOS-powered endpoints without user involvement But now it seems that NSO is not the only company that managed to do what Google researchers described as a hacking “extraordinary and frightening”, because Reuters claimed that at almost the same time, other companies based in Israel (but less well known), Quadream, achieves the same goal.
Researchers who analyzed the methodology of the two companies said they were very similar to each other, to the fact that as soon as Apple patched NSO’s vulnerability, it also gave one quadream The NSO Group (Israeli technology company is mainly known for its ownership spyware) designing an attack mechanism “against that there is no defense,” because there is no cellular antivirus that can find it. Also known as the “click-zero” exploitation, just as it sounds – the victim doesn’t even need to click anything to be compromised, to have the data, or identity, stolen. Basically, all that needs to be done is to receive an SMS message through the Apple iMessage service.
The attack methodology itself is rather complex, and involves “fake” gif, Coregraphic PDF parser, JBig2 codec, and computer architecture that is fully “new” which is “not as fast as JavaScript, but fundamentally equal computationally”. Vulnerability was recorded as CVE-2021-30860, and was set on September 13, 2021 on iOS 14.8. Apparently, there is also an Android version, but researchers have not received samples.
After the cat was outside the bag, the government contacted the US government NSO, claiming to develop the tools used against civilians, something NSO was not only rejected, but further stated that he worked to “support the US national security interests and policy by preventing terrorism and crime Of course AWS also forbid NSO, Apple filed a lawsuit, which was later supported by almost every well-known technology company in the United States.
