A menace

Hacked, without clicking a button. [View in browser]( [Bloomberg]( Hi, it’s Ryan in Edinburgh. Zero-click spyware is even nastier than it sounds, according to new findings. But first... Today’s must-reads: • Elon Musk [convinced a judge]( to dismiss most of a Twitter shareholder lawsuit • American [suppliers are withdrawing staff]( from a leading Chinese chipmaker • Vista Equity Partners has [agreed to pay $4.6 billion]( for the security firm KnowBe4 ‘Zero-click’ malware comes into focus In July 2020, an Azerbaijani journalist’s iPhone silently received a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages.  The hack was an example of a “zero-click” attack—[a method of placing spyware on a phone]( without tricking a user into doing anything, such as clicking on a malicious link sent in an email or text message. It’s a technique that governments have utilized to target their opponents on a greater scale and for a longer duration than previously known, according to recent research from Amnesty International and Citizen Lab. The Azerbaijani journalist—researchers didn’t disclose the identity—was a victim of spyware manufactured by NSO Group, which [sells technology]( to governments and law enforcement agencies. The Israeli company says clients use its software to stop terrorism and curb violent crime. Some governments have misused NSO’s spyware—known as Pegasus—to target critics in more than a dozen countries, rights groups say. NSO has helped governments hack phones with zero-click malware since at least July 2017 and has utilized at least six different zero-click exploits that were used to covertly hack Apple iOS versions 10 through 14, according to the Amnesty and Citizen Lab research, which was presented at the Virus Bulletin conference in Prague on Sept. 28. The zero-click attacks worked by leveraging security vulnerabilities in Apple devices, in some cases sending an iMessage that would force the phone to connect to a malicious website without user engagement, according to the research. Flaws were exploited in iMessage, the Apple podcast and music apps, Apple photos and a Wi-Fi calling feature, the researchers found. In November, Apple sued NSO Group, accusing the company of “flagrant violations of US federal and state law.” NSO Group also designed zero-click attacks that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group. Amnesty and Citizen Lab say they uncovered evidence suggesting that NSO had been using the WhatsApp zero-click exploit as early as July 2018, nearly nine months before it was fixed, indicating that it was used to target a far greater number of people than 1,400. “What we found is that these activities had been going on longer than we had known about,” says Donncha Ó Cearbhaill, a researcher and technologist at Amnesty International’s Security Lab. There are indications that security researchers can disrupt the operations of NSO Group and the handful of other firms that sell zero-click hacking tools to governments. In July 2019, [a team at Google’s Project Zero]( discovered vulnerabilities in iMessage that could be used for a zero-click hack, which was subsequently fixed by Apple. That discovery appeared to have an impact on NSO Group, temporarily disrupting its customers’ ability to infiltrate some phones. “They were able to protect a lot of people,” said Ó Cearbhaill. It’s an example, he added, that shows it’s possible to fight back against powerful surveillance firms. —[Ryan Gallagher](mailto:rgallagher76@bloomberg.net) The big story Twitter has already been hurt by all the drama over the possible Elon Musk takeover. The road is [only poised to get bumpier]( if the deal goes through, Bloomberg Businessweek reported. Musk has publicly trashed Twitter’s top management and alienated its [7,000-plus employees](. What else you need to know Microsoft will introduce an app [meant to help employees]( decide the best time to go into the office. Jack Dorsey’s Block and Sequoia Capital are [among the investors]( to pump $20 million into the fintech firm Telda. ByteDance is offering to buy back employees’ shares for $155 apiece to [boost staff morale](. Follow Us More from Bloomberg Dig gadgets or video games? [Sign up for Power On]( to get Apple scoops, consumer tech news and more in your inbox on Sundays. [Sign up for Game On]( to go deep inside the video game business, delivered on Fridays. Why not try both? Like getting this newsletter? [Subscribe to Bloomberg.com]( for unlimited access to trusted, data-driven journalism and subscriber-only insights.​​​​​​​ You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. If a friend forwarded you this message, [sign up here]( to get it in your inbox. [Unsubscribe]( [Bloomberg.com]( [Contact Us]( Bloomberg L.P. 731 Lexington Avenue, New York, NY 10022 [Ads Powered By Liveintent]( [Ad Choices](