Apple has patched the Pegasus malware, but here's what you need to know

Over the last few days Apple has pushed out updates to the release, developer preview, and public beta versions of iOS — that's iOS 9.3.5, iOS 10 developer preview 7, and iOS 10 public beta 6. All of them, on every carrier, for every region, at the same time. It was to patch a just-discovered set of malware and spyware called Pegasus, made and sold for upwards of a million dollars by a company called the NSO Group to nation-states that wanted to surveil dissidents and journalists.

It's not something most of us, our family, friends, and colleagues, ever need to worry about. But it's something we should all stay informed about.

Okay, back up, what happened and why am I reading about this?

A human rights activist in the UAE received a suspicious text message on his iPhone, had it investigated, and as a result Apple pushed out an update to patch three 0day exploits in iOS.

From Citizen Lab:

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a "Nobel Prize for human rights"). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising "new secrets" about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based "cyber war" company that sells Pegasus, a government-exclusive "lawful intercept" spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits ("zero-days") that would have remotely jailbroken Mansoor's stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.

So they basically did a remote jailbreak on iPhones?

Yes. If you remember back to the very early days of iOS, there was a brief time when you could jailbreak the original iPhone by tapping on a link that brought up a TIF image in the mobile Safari browser. It's nowhere nearly that easy any more, but when you're dealing with millions of lines of code, and millions of dollars, bugs will happen and ways to exploit them will be found.

Here are the details on Pegasus from Lookout:

Lookout's analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:

  • CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel's location in memory.
  • CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
  • CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

So, in this case, the attack tried to trick the receiver into clicking a link found in a message. Once it gained entry, it would escalate until it had enough control over the iPhone to begin eavesdropping on communications.

Do I have to worry about this?

This attack was being used by nation states that could afford a million dollar price tag, and targeted at specific individuals including dissidents and journalists covering dissidents. If that doesn't describe you, there's very little to worry about.

That said, just like on computers, being safe means never clicking on links you get sent over messages or emails unless you're absolutely, 100% sure they're safe. It's the exact same way you avoid phishing attacks — attempts to con you out of your log in or other private information — and the same advice that's been given for decades.

That said, it's always possible someone else found the same vulnerabilities, or now that they're public, someone else will try to exploit them. So, it's still important to update immediately.

But shouldn't I always update?

Yup. Ignore the headlines and the hyperbole about this particular update and remember to download and install all updates. Apple is always issuing security improvements, bug fixes, and performance enhancements. So, it's best practices to always make sure you're always running the latest version.

Are you sure I'm getting the update?

Absolutely! Once of the biggest advantages that comes with owning an iPhone is that Apple has made sure the company can update every modern device, on every carrier, in every region, all at once.

In this case, it goes back to 2011 devices, including iPhone 4s and up and iPad 2 and up.

All you have to do is go to Settings > General > Software Update. For step-by-step instructions:

Is Apple working to prevent this from happening again?

Apple, and every vendor, is working to make it as hard as possible for this to ever happen. They're doing it in several ways:

  1. Improving overall security. Apple continues to roll out new and better security protocols, including hardening against Javascript attacks in iOS 10. The goal is to make it more difficult to get onto iOS and if anything does get on, even more difficult to do anything once on. (If you're interested, and you haven't watched it already, check out Apple's talk at this year's Black Hat security conference for more.)
  2. Working with external security experts. Apple has recently announced a security bug bounty program to help independent researchers who find and responsibly disclose vulnerabilities in Apple's software.
  3. Reacting quickly when 0day exploits are found in the wild. Apple patched Pegasus quickly enough that the previous betas had barely shipped by the time the next versions were pushed out.

Security is all about defense in depth, and by doing all of these things, Apple makes iOS security increasingly deep.

What if I think I'm already infected?

If you think you might be a target for Pegasus, and might already be infected, you have a couple of options, including erasing your iPhone and restoring from a backup.

If you're really worried about the state of your device security, though, your best option is to buy a new iPhone from a trusted supplier and either restore a backup to that, or set up as new, sync back contact, email, and other personal information.

Wait, I have more questions!

Drop them in the comments below!

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

31 Comments
  • I'm having an interesting bug: my iPod touch, 5th generation, is running 9.3.3. When I check for software update, both on the iPod touch, and in iTunes, when the iPod is connected to my Mac, software is said to be up-to-date! Just had an idea: could this possibly be due to the fact that this iPod was previously being used for iOS betas?
  • If you still have the beta profile on there then yes delete profile and then you should be able to update to 9.3.5 with a restart of the device Sent from the iMore App
  • Interesting...... my iPod Touch 5th Gen. had that same problem on 9.2 to 9.4.1. Just give it awhile, maybe do a few restarts, and be sure to close Settings via Multitasking and re open it. But... I didn't use mine for Beta Software. Sent from the iMore App
  • Good news is that the update will reach most Apple idevices unlike android where some phones don't get the latest security updates.
    Bad news, what a mess ! Click on a link in a message and your phone is compromised !! ?! At least with android and stage fright you had to turn on install apps from unknown sources and then install a rogue app!
    I listen to security now and they did an episode called iOS insecurity, I don't pretend to understand half of what was said but iOS isn't secure and this sort of thing will happen again. Posted via the iMore App for Android
  • iOS is more secure than Android from what I've seen. These things happen on every OS, just make sure you're always updated
  • No sorry wrong I don't believe it is but I am willing to change my mind, good advice with any device be careful of what you you click on or where you get your apps from. Posted via the iMore App for Android
  • You said I was wrong, then said you don't believe it. But you're right in that with any device it's just important to use common sense, which consists pretty much just consists of not going to dodgy websites or installing unknown apps. And bare in mind that iOS doesn't let you install unapproved apps, and that all Apple apps are sandboxed. You could literally install the most strange apps off the App Store on iOS and you wouldn't be in any danger. I wouldn't dream of doing that on Android.
  • Sorry I am not good with words and trying to explain what I mean.
    Yes you can side load apps on android but to do so you have to jump through hoops and android warns you if you do so. Like iOS if you stuck to the main app store (the Google play store on android) you will be fine. Again nothing is 100% safe. I am happy that apple has fixed the problem and that 99% of iOS devices will receive the fix.
    This is the security now episode I mentioned. https://www.grc.com/sn/sn-532.htm Posted via the iMore App for Android
  • No, it's not. Android is just as secure and iOS. The problem is CARRIERS and MANUFACTURERS control the updates, not Google. That's not Android's fault, as Android is patched monthly, and Google pays bounties for exploits. Samsuck is NOT Android. Don't paint Android with a bad brush because Verizon and AT&T ar slow as a glacier with updates, and Samsuck, HTC and Moto won't patch their phones. That is the carrier and manufacture "skin" that are not secure, not all the fault of Android or Google.
  • Most of iOS's security comes from its closed nature, with the rest being basic practice that everyone (except windows, except now in Universal apps) has had for awhile. As you normally hear, the least secure part of any operating system is normally the user.
  • Waldon Newman... make no mistake.. NOTHING is secure! You shouldn't treat anything as if it is secure because it isn't. I can't tell you which is more secure between iOS or Android but I can say neither is secure. If someone wants something then they will find a way to take it.
  • If users mindless click links, the best security in the world won't help you.. For example,, if u know none of your friends are overseas, but u get a text saying they are "be suspicious" delete the txt asap regardless of what it contains, links etc... Tip: u know better who u know. After all friends wouldn't not just "get up and go" without some form of preknowdegle. That's the only compromise...
  • “Ignore the headlines and the hyperbole about this particular update and remember to download and install all updates.” Websites like iMore should be more forceful in combating foolish, ignorant comments from users about avoiding this or that update because of this or that supposed bug. With every update we get frantic warnings from clueless people to not install an update because their device is now bricked or slow or quick to drain the battery. It’s all nonsense from people who don’t know that they are talking about. And jailbreakerrs? Well, they deserve what they get.
  • In the past 10 years of iPhones and updates, there has only been a single update that was legitimately a problem, and it was pulled back within 2 hours of being released. If in doubt, maybe wait a few hours to see what the community consensus is. If no big issues are reported, there's no good reason to NOT update.
  • Right On!
  • Why do jailbreakers deserve what they get? What have they done to hurt you?
  • I don't believe it was specifically mentioned... but is this taken care of in the public beta of 10.0?
  • Make sure you're updated to the latest: iOS 10 Public Beta 6. Public Beta 6 blocks the exploit.
  • How does this affect the future of jailbreaking? Pangu has said they have a jailbreak for IOS10, does this affect that? Also, why are there not as many jailbreaking stories on iMore as there used to be? There used to be a whole section on how to jailbreak.
  • idownloadblog.com probably better place for that kind of info.
  • Hey, how can you find out if you are already infected? Does installation of 9.3.5 remove the malware or does it only close the vulnerabilities?
  • One thing to remember is that the exploits are now public and any device that has not been patched could be exploited. There will be new exploit software released that will take advantage of these software defects. These exploits will be leveraged by other bad actors. Apple has been pretty active about updating IOS 9 recently. Do not get update fatigue! (Oh and keep your devices backed up...!) RJF
  • No OS is completely secure but this is thr first real major exploit found on iOS compared to the hundreds of security explicits found on Android.
  • Hundreds ? How many have been found on iOS ? We dont know because apple never says unless it has too ! Because apple doesnt say doesnt mean there are none. One thing I will give google is they publish a list of flaws patched every month in their security update.
  • calling this a "real major exploit" is an exaggeration, did anyone read this paragraph?: "This attack was being used by nation states that could afford a million dollar price tag, and targeted at specific individuals including dissidents and journalists covering dissidents. If that doesn't describe you, there's very little to worry about." The media gets ahold of anything like this and leaves out stuff like that paragraph, I read many headlines and incomplete articles that made it sound like anyone could get attacked at any moment, which really isn't true. That being said, of course you need to update and of course don't click on just any link sent to you in a text. Once again, thank you iMore for the non-panic version of this story. :)
  • How do I know if my iphone has been infected, is there anyway to check it ?.
  • You would probably know if you were infected. You should be fine after updating
  • Test Sent from the iMore App
  • Test successful. Sent from the iMore App
  • My phone just offered me to change my security password into a 4-digit new one. I typed in my current but my keyboard looked very strange, completely dark grey. So I stopped that process and did a restart. I didn't take a screenshot unfortunately. It also said that I should change password in the next 60 minutes. I'm on 9.3.5, iPhone 6. Did anyone on 9.3.5 have the same situation on their phone?
  • Well......just so you all know, my phone HAS been infected with Pegasus and it was infected on 09/29/2016, REMOTELY without clicking on a link to the internet. I just discovered it a couple weeks ago.
    In fact my usage shows the code that was used to infect it....... B28A-4F88-8495-027689E05948/Hangouts.app/Hangouts
    0x1048f0000 - 0x10481a7e172d1749a92>Pegasus
    AccessibiliyBundles/Pegasus.axbundle/Pegasus
    0x1048fc000 - 0x10491bfff VectorKit arm64 The interesting thing here, is I've never in my life utilized Google Hangouts for ANYTHING. Never in my life used that application or even so much as clicked on anything that would even IMPLY I've used it. So this problem was fixed with an update, back in 09/2016, then can someone explain to me why MY phone is still infected and has remained up to date since date of purchase in May 2016. It's an IPHONE SE.
    Also, Just so you know, I'm not a "journalist, terrorist, person of interest to the government or ever associated with any of people like this. I'm just an ordinary every day person just like anybody else!
    So you ask....what can Apple do to improve its security???? They could be honest about this malware that is STILL out there infecting their hardware and other ordinary folks devices. They could respond to my 3 page email sent to their security department several days ago asking them to assist me with problem. They could also have a PHONE NUMBER for their security department so people like me could have instant communication with them.