A researcher at Swedish telecom and cybersecurity firm Enea has unearthed a previously unknown tactic that Israel's NSO Group has made available for use in campaigns to drop its notorious Pegasus mobile spyware tool on mobile devices belonging to targeted individuals worldwide.

The researcher discovered the technique when looking into an entry entitled "MMS Fingerprint" on a contract between an NSO Group reseller and Ghana's telecom regulator.

The contract was part of publicly available court documents associated with a 2019 lawsuit involving WhatsApp and the NSO Group, over the latter's exploitation of a WhatsApp flaw to deploy Pegasus on devices belonging to journalists, human rights activists, lawyers, and others globally.

Zero-Click Device-Profiling for Pegasus

The contract described MMS Fingerprint as something that an NSO customer could use to obtain details about a target BlackBerry, Android, or iOS device and its operating system version, simply by sending a Multimedia Messaging Service (MMS) message to it.

"No user interaction, engagement, or message opening is required to receive the device fingerprint," the contract noted.

In a blog post last week, Enea researcher Cathal McDaid said he decided to investigate that reference because "MMS Fingerprint" was not a known term in the industry.

"While we always must consider that NSO Group may simply be 'inventing' or exaggerating the capabilities it claims to have (in our experience, surveillance companies regularly over-promise their capabilities), the fact this was on a contract rather than an advertisement suggests that it was more likely to be for real," McDaid wrote.

Fingerprinting Due to Issue With the MMS Flow

McDaid's investigation quickly led him to conclude that the technique mentioned in the NSO Group contract likely had to do with the MMS flow itself rather than any OS-specific vulnerabilities.

The flow typically starts with a sender's device initially submitting an MMS message to the sender's MMS Center (MMSC). The sender's MMSC then forwards that message to the recipient's MMSC, which then notifies the recipient device about the waiting MMS message. The recipient device then retrieves the message from its MMSC, McDaid wrote.

Because the developers of MMS introduced it at a time when not all mobile devices were compatible with the service, they decided to use a special type of SMS (called "WSP Push") as a way to notify recipient devices of pending MMS messages in the recipient's MMSC. The subsequent retrieval request is not really an MMS but a HHTP GET request sent to a content URL listed in a content location field in the notification, the researcher wrote.

"The interesting thing here, is that within this HTTP GET, user device information is included," he wrote. McDaid concluded that this likely was how the NSO Group obtained the targeted device information.

McDaid tested his theory using some sample SIM cards from a western European telecom operator and after some trial and error was able to obtain a test devices UserAgent info and HTTP header information, which described the capabilities of the device. He concluded that NSO Group actors could use he information to exploit specific vulnerabilities in mobile operating systems, or to tailor Pegasus and other malicious payloads for target devices.

"Or, it could be used to help craft phishing campaigns against the human using the device more effectively," he noted.

McDaid said his investigations over the past several months have unearthed no evidence of anyone exploiting the technique in the wild so far.