A researcher from the Swedish telecommunications and cybersecurity company Enea has unearthed a previously unknown tactic that the Israeli NSO Group has made available for use in campaigns to release its infamous Pegasus mobile spyware tool on mobile devices belonging to targeted individuals. aims all over the world.
The researcher discovered the technique by examining an entry titled “MMS Fingerprint” on a contract between an NSO Group reseller and the Ghana Telecommunications Regulatory Authority.
The contract was part of publicly available court documents associated with a 2019 lawsuit involving WhatsApp and the NSO Group, over the latter’s exploitation of a WhatsApp flaw to deploy Pegasus on devices belonging to journalists, human rights activistslawyers and others globally.
Zero-click device profiling for Pegasus
The contract described MMS Fingerprint as something an NSO customer could use to get details about a target BlackBerry, Android or iOS device and its operating system version, simply by sending it an MMS (Multimedia Messaging Service) message.
“No user interaction, engagement, or message opening is required to receive your device fingerprint,” the contract reads.
In a blog post last week, ENEA researcher Cathal McDaid said he decided to investigate that reference because “MMS Fingerprint” was not a known term in the industry.
“While we must always consider that NSO Group may simply be ‘making up’ or exaggerating the capabilities it claims to have (in our experience, surveillance companies routinely overpromise their capabilities), the fact that this was under contract rather than an ad suggests it was more likely to be true,” McDaid wrote.
Fingerprints due to problems with MMS flow
McDaid’s investigation quickly led him to conclude that the technique mentioned in the NSO Group contract likely had to do with the MMS stream itself rather than any specific operating system vulnerabilities.
The flow typically begins with the sender’s device initially sending an MMS message to the sender’s MMS Center (MMSC). The sender’s MMSC then forwards the message to the recipient’s MMSC, which then notifies the recipient device of the pending MMS message. The receiving device then retrieves the message from its MMSC, McDaid wrote.
Since the developers of MMS introduced it at a time when not all mobile devices were compatible with the service, they decided to use a special type of SMS (called “WSP Push”) as a way to notify recipient devices of MMS messages pending in the recipient’s MMSC. The subsequent fetch request is not really an MMS but an HHTP GET request sent to a content URL listed in a content location field in the notification, the researcher wrote.
“The interesting thing here is that within this HTTP GET is information about the user’s device,” he wrote. McDaid concluded that this was likely how the NSO group obtained information about the targeted device.
McDaid tested his theory using some sample SIM cards from a Western European telecom operator and after some trial and error was able to obtain information about the test device’s UserAgent and HTTP header information, which described the functionalities of the device. He concluded that NSO Group actors could use the information to exploit specific vulnerabilities in mobile operating systems or to customize Pegasus and other malicious payloads for target devices.
“Or, it could be used to create phishing campaigns against humans who use the device more effectively,” he noted.
McDaid said his investigations in recent months have uncovered no evidence that anyone has exploited the technique in the wild so far.