The messages themselves ranged from a simple "message not sent" text to more aggressive attempts, which masqueraded as the US Embassy's visa division or a bereaved friend sending details of a funeral. Some texts even posed as Amber Alerts, claiming to offer details on a missing child. Once clicked, the software exploited a trio of previously disclosed iOS vulnerabilities to silently install itself on the target device.
Citizen Lab believes the campaign was orchestrated by the Israeli spyware vendor NSO Group, based on similarities in the code of the spyware and the host domains where it was stored. The group, rumored to be on sale for as much as $1 billion, rose to prominence last year after similar spyware was detected on the iPhone of human rights activist Ahmed Mansoor in the United Arab Emirates.
Comment: Apple security upgrades to counter alleged Israeli spyware attack on Arab activist, citizens update!
The research prompted an emergency patch from Apple to close the rare iOS vulnerabilities exploited by the attack. Notably, the Mexican campaign took place before that patch took effect, so all of the iOS vulnerabilities would have been exploitable at the time.
Notably, the NSO Group only sells to governments, and is subject to various export restrictions on sanctioned countries like North Korea and Iran. Those restrictions would not prevent sales to the Mexican government, however, and there is a record of the roughly $80 million in NSO sales to various Mexican federal agencies, according to a report from The New York Times. It's unclear whether there was any legal authorization for the campaign, and one expert told the Times it's unlikely such a request would be approved by a judge.
Reader Comments
to our Newsletter