Colin Thierry
Published on: April 20, 2022

Digital threat researchers at Citizen Lab discovered a new zero-click exploit used to install NSO Group spyware on iPhones belonging to Catalan politicians, journalists, and activists.

The previously unknown iOS zero-click security flaw, called HOMAGE, impacts some versions before iOS 13.2 (the latest stable iOS version is 15.4).

The flaw was used in a campaign targeting at least 65 people with NSO’s Pegasus spyware between 2017 and 2020, including the Kismet iMessage exploit and a WhatsApp flaw.

According to Citizen Lab, victims of these attacks include Catalan Members of the European Parliament (MEPs), every Catalan president since 2010, along with Catalan legislators, jurists, journalists, and members of civil society organizations and their families.

“Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3. It is possible that the exploit was fixed in iOS 13.2,” Citizen Lab said.

“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1,” the academic research lab added.

Citizen Lab has reported and provided Apple with the forensic artifacts necessary to investigate the exploit and said there is no evidence that Apple customers with the latest versions of iOS were exposed to HOMAGE attacks.

“At this time the Citizen Lab is not conclusively attributing these hacking operations to a particular government, however, a range of circumstantial evidence points to a strong nexus with one or more entities within the Spanish government,” they added.

Additional Targets

According to Reuters, NSO spyware was also used in attacks against senior European Commission officials in 2021, including the European Justice Commissioner.

Citizen Lab Director Ron Deibert said that multiple suspected infections with Pegasus spyware within official UK networks were also reported by the academic research lab to the UK government.

Finland’s Ministry for Foreign Affairs said in January that devices of Finnish diplomats were infected with NSO Group’s Pegasus spyware after US Department of State employees also found that their iPhones were hacked to install the same spyware.

The European Parliament is setting up a committee of inquiry to investigate breaches of EU law originating from the use of NSO Pegasus and equivalent spyware.

“The spyware covertly penetrates mobile phones (and other devices) and is capable of reading texts, listening to calls, collecting passwords, tracking locations, accessing the target device’s microphone and camera, and harvesting information from apps,” Citizen Labs explains.

“Encrypted calls and chats can also be monitored. The technology can even maintain access to victims’ cloud accounts after the infection has ended,” they added.

Apple filed a lawsuit against NSO Group last year, seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.