NSO Group Adds MMS Fingerprinting Zero-Click Attack to Spyware Arsenal

The purveyor of the infamous Pegasus mobile spyware now has a new method for obtaining critical information from target iPhones and other mobile devices.

A researcher at Swedish telecom and cybersecurity firm Enea has unearthed a previously unknown tactic that Israels NSO Group has made available for use in campaigns to drop its notorious Pegasus mobile spyware tool on mobile devices belonging to targeted individuals worldwide.
The researcher discovered the technique when looking into an entry entitled MMS Fingerprint on a contract between an NSO Group reseller and Ghanas telecom regulator.
The contract was part of publicly available court documents associated with a 2019 lawsuit involving WhatsApp and the NSO Group, over the latters exploitation of a WhatsApp flaw to deploy Pegasus on devices belonging to journalists,
human rights activists
, lawyers, and others globally.
The contract described MMS Fingerprint as something that an NSO customer could use to obtain details about a target BlackBerry, Android, or iOS device and its operating system version, simply by sending a Multimedia Messaging Service (MMS) message to it.
No user interaction, engagement, or message opening is required to receive the device fingerprint, the contract noted.
In a blog post last week,
Enea researcher Cathal McDaid said he decided to investigate that reference because MMS Fingerprint was not a known term in the industry.
While we always must consider that NSO Group may simply be inventing or exaggerating the capabilities it claims to have (in our experience, surveillance companies regularly over-promise their capabilities), the fact this was on a contract rather than an advertisement suggests that it was more likely to be for real, McDaid wrote.
McDaids investigation quickly led him to conclude that the technique mentioned in the NSO Group contract likely had to do with the MMS flow itself rather than any OS-specific vulnerabilities.
The flow typically starts with a senders device initially submitting an MMS message to the senders MMS Center (MMSC). The senders MMSC then forwards that message to the recipients MMSC, which then notifies the recipient device about the waiting MMS message. The recipient device then retrieves the message from its MMSC, McDaid wrote.
Because the developers of MMS introduced it at a time when not all mobile devices were compatible with the service, they decided to use a special type of SMS (called WSP Push) as a way to notify recipient devices of pending MMS messages in the recipients MMSC. The subsequent retrieval request is not really an MMS but a HHTP GET request sent to a content URL listed in a content location field in the notification, the researcher wrote.
The interesting thing here, is that within this HTTP GET, user device information is included, he wrote. McDaid concluded that this likely was how the NSO Group obtained the targeted device information.
McDaid tested his theory using some sample SIM cards from a western European telecom operator and after some trial and error was able to obtain a test devices UserAgent info and HTTP header information, which described the capabilities of the device. He concluded that NSO Group actors could use he information to exploit specific vulnerabilities in mobile operating systems, or to tailor Pegasus and other malicious payloads for target devices.
Or, it could be used to help craft phishing campaigns against the human using the device more effectively, he noted.
McDaid said his investigations over the past several months have unearthed no evidence of anyone exploiting the technique in the wild so far.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NSO Group Adds MMS Fingerprinting Zero-Click Attack to Spyware Arsenal