Notorious NSO Group exploits the flaw to send malicious messages and more
Notorious Israeli commercial spyware company NSO Group has reportedly offered a way to exfiltrate sensitive mobile phone data unlike anything seen before, experts have revealed.
A new report from telecom security specialists Enea discovered the method while recently looking through the documents submitted during the lawsuit between WhatsApp and NSO Group.
According to ENEA, WhatsApp used as evidence a copy of a contract between a NSO Group reseller and Ghana’s telecoms regulator in late 2019. In the contract, one of the functions and capabilities that NSO Group offered was called “MMS Fingerprint”.
Blocking malicious MMS messages
This feature, as it turned out, exploited a vulnerability in both Android and iOS (but apparently also in BlackBerry devices) to exfiltrate sensitive data from the device.
After some digging, ENEA managed to recreate the error and then explained how it worked. The attacker could reportedly create a unique, malicious MMS message that the victim didn’t even have to open (or otherwise interact with). That message would cause the device to return two unique pieces of information: the MMS UserAgent and the x-wap profile.
The former is a string that typically identifies the victim’s operating system and device, while the latter refers to a UAProf (User Agent Profile), which describes the capabilities of the target device.
This information, ENEA argues, could be used to profile the victim and prepare for more concrete attacks: “Both could be very useful for malicious actors. Attackers can use this information to exploit specific vulnerabilities or tailor malicious payloads (such as the Pegasus exploit) to the type of receiving device. Or it could be used to launch phishing campaigns against people who use the device more effectively,” the researchers explain in the report.
While it sounds ominous to steal data without interacting with the victim, victims are not completely helpless, ENEA adds. Mobile subscribers can disable the automatic retrieval of MMS on their handset, preventing the malicious messages from reaching their devices. Furthermore, most mobile operators today prevent these types of messages from being sent in the first place.