NSO Group, a spyware company, has allegedly employed a previously unknown mobile network attack known as the “MMS Fingerprint” attack. This attack, referenced in an agreement between NSO and Ghana’s telecom regulator, is believed to work on all major smartphone operating systems independently of the operating system itself.
In May 2019, a flaw in WhatsApp’s encrypted messaging service allowed hackers to install Pegasus spyware on customers’ smartphones through a WhatsApp voice call. WhatsApp filed a lawsuit against NSO Group in October 2019, and despite NSO’s attempts to stop the case, both the US Supreme Court and US appeals court have rejected their requests.
Specifics about the “MMS Fingerprint” feature were found in a contract between the Ghanaian telecom regulator and an NSO Group reseller, but were not widely discussed. The feature allows for the revealing of target device and operating system information without requiring any interaction from the device owner.
Mobile users are advised to turn off MMS auto-retrieval and mobile operators may consider blocking internet access from devices via MMS ports to prevent potential attacks.