Israel's NSO Group: Our malware? Slurp your cloud backups plus phone data? They've misunderstood
After report claimed its sales pitches boasted of doing that
Israeli spyware firm NSO Group has denied it developed malware that can steal user data from cloud services run by Amazon, Apple, Facebook, Google and Microsoft.
The Financial Times reported this morning that NSO's Pegasus malware, which was previously known to be capable of slurping data from a phone handset, "has now evolved to capture the much greater trove of information stored beyond the phone, in the cloud, such as a full history of a target's location data, archived messages or photo".
This means it can access iCloud and Google Drive backups. It was suggested by the FT that linked cloud accounts accessed through apps on the target device are also vulnerable to this style of full-take surveillance, based on sales pitch documents shown, among other places, to the Ugandan government.
The Pink 'Un reported that Pegasus is now capable of copying authentication keys of services including Google Drive, Facebook Messenger and iCloud from an infected device, "allowing a separate server to impersonate the phone, including its location". The NSO sales document boasted this allowed spies operating the malware to bypass multi-factor authentification and access control warning emails.
Most concerningly, the firm allegedly claimed that its access remained persistent even when the malware was removed from the target device.
NSO Group was previously linked to the infamous "WhatsApp calls can pwn your mobe" malware discovered and patched earlier this year. The business's Pegasus malware was patched in 2016 by Apple after it was learned that they also affected desktop versions of Safari and OSX. A year later, however, a coalition of Mexican and Canadian investigators uncovered sustained efforts by the Mexican government to use Pegasus for spying on local dissidents.
Mitigating this kind of attack ought to be a straightforward matter of resetting passwords and access tokens once the malware is cleansed from the infected device. Indeed, the FT mentions that this workaround was referenced in one of the pitch documents it had seen.
The Israeli company told The Reg: "There is a fundamental misunderstanding of NSO, its services and technology. NSO's products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure, as listed and suggested in today's FT article.
"Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO's lawful interception products are designed to confront this challenge.
"Our products are licensed in small scale to legitimate government intelligence and law enforcement agencies for the sole purpose of preventing or investigating serious crime including terrorism." ®