Initially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk

multiple successful zero-click infections in May and June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the following minutes at least 20 iMessage attachment chunks are created on disk.

While we have not been able to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications immediately preceding the execution of Pegasus processes

HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack

Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).

if Apple Music was itself exploited to deliver the initial infection or if instead, the app was abused as part of a sandbox escape and privilege escalation chain

In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator

In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups

iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.

However, while it is only effective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed

Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators

he discovery of network injection attacks in Morocco signalled that the attackers’ tactics were indeed changing

iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International

apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device

OS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus.

vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.

additional staging domains are used as trampolines eventually leading to the infection servers

When previewing a link shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView,

SMS messages with Pegasus exploit

These also include so-called “zero-click” attacks which do not require any interaction from the target.