Pegasus’ users can remotely surveil the iPhone owner’s activities, collect emails, text messages and browsing history, and access the device’s microphone and camera, Apple alleged in its lawsuit.
Apple said the attacks were only targeted at a small number of customers, and it said on Tuesday it will inform iPhone users who may have been targeted by Pegasus malware.
“To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge,” Apple said in its announcement. “Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.”
The NSO Group created Apple ID accounts and violated the iCloud terms of service to operate its spyware, Apple said.
NSO Group is accused of using “0day” bugs to create its spyware, or flaws that Apple has not yet fixed. Once Apple fixes an exploit, it’s no longer a 0day and users can protect themselves by updating their iPhone software.
Earlier this year, Amnesty International said that it found evidence of a hacked iPhone 12 and had obtained a leaked list of 50,000 phone numbers targeted by NSO Group software. NSO Group software is alleged to have been used to monitor relatives and people close to Jamal Khashoggi, a Washington Post columnist who was killed in Turkey by assassins working on behalf of Saudi Arabia.
Amnesty International also said it discovered NSO Group malware on the iPhones of a French human rights lawyer, a French activist, an Indian journalist and a Rwandan activist.
The U.S. Commerce Department blacklisted NSO Group earlier this month, prohibiting it from using American technology in its operations. Meta, formerly known as Facebook, is also separately suing NSO Group, alleging it helped hack users of Meta subsidiary WhatsApp.
Apple said it would donate $10 million as well as any damages from the lawsuit to organizations focusing on fighting digital surveillance.
“Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers,” an NSO Group spokesperson said in a statement. “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”
Apple is seeking a permanent injunction to ban NSO Group from using Apple software, services or devices. It’s also seeking damages over $75,000.
Apple considers the lawsuit to be a warning to other spyware vendors. “The steps Apple is taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against innocent users and those who seek to make the world a better place,” Ivan Krstic, Apple’s head of security engineering and architecture, said in a tweet.
NSO Group software permits “attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO’s customers,” Apple said in the lawsuit filed in federal court in the Northern District of California, saying that it is not “ordinary consumer malware.”
Apple also said on Tuesday it has patched the flaws that enabled the NSO Group software to access private data on iPhones using “zero-click” attacks where the malware is delivered through a text message and leaves little trace of infection.