Famous Israeli commercial spyware company NSO Group was reportedly offering a way to exfiltrate sensitive mobile phone data unlike anything seen before, experts revealed.
A new report from telecoms security specialists Enea uncovered the method while recently reviewing documents submitted during the court case between WhatsApp and NSO Group.
According to ENEA, in late 2019, WhatsApp presented as evidence a copy of a contract between an NSO Group reseller and Ghana's telecommunications regulator. In the contract, one of the features and capabilities offered by NSO Group was called “MMS Fingerprint.”
Block malicious MMS messages
This feature, as it later emerged, was exploiting a vulnerability in both Android and iOS (but apparently also BlackBerry devices) to extract some sensitive data from the device.
After some digging, ENEA managed to recreate the flaw and then explained how it worked. Supposedly, the attacker could create a single, malicious MMS message, which the victim did not even need to open (or otherwise interact with). That message would cause the device to return two unique pieces of information: the MMS UserAgent and the x-wap profile.
The first is a string that typically identifies the victim's operating system and device, while the second points to a UAProf (User Agent Profile), which describes the capabilities of the target device.
This information, ENEA maintains, could be used to profile the victim and prepare for more specific attacks: “Both things can be very useful for malicious actors. Attackers could use this information to exploit specific vulnerabilities or tailor malicious payloads (such as the Pegasus exploit) to the recipient's device type. Or it could be used to help craft phishing campaigns against the human using the device most effectively,” the researchers explained in the report.
While being able to steal data without victim interaction sounds sinister, victims are not completely helpless, ENEA adds. Mobile subscribers could disable automatic MMS recovery on their phones, preventing malicious messages from reaching their devices. In addition, most mobile operators today filter these types of messages so that they are not sent.