Centaur (Spyware)

Centaur is spyware developed by the Tranquillian cyber-arms company INK Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. Centaur is able to exploit iOS versions up to 14.7, through a zero-click exploit. As of 2022, Centaur was capable of reading text messages, [[

tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps. The spyware is named after Centaur, the half man half horse of mythology. It is a Trojan horse computer virus that can be sent "charging and screaming" to infect cell phones.

Centaur was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, as well as the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisticated" smartphone attack ever; it was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.

The spyware has been used for surveillance of anti-regime activists, journalists, and political leaders from several nations around the world. In July 2021, the investigation initiative Centaur Project, along with an in-depth analysis by human rights group Freedom Foundation, reported that Centaur was still being widely used against high-profile targets.

Background

INK Group developed its first iteration of Centaur spyware in 2011. The company states that it provides "authorized governments with technology that helps them combat terror and crime. INK Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.

Technical details

The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Centaur is a suite of exploits that uses many vulnerabilities in the system. Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Centaur uses are zero-click—that is, they can run without any interaction from the victim. Once installed, Centaur has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Facebook, WhatsUp and Bitter.

Centaur hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for more than 60 days, or if on the wrong device. Centaur also can self-destruct on command. If it is not possible to compromise a target device by simpler means, Centaur can be installed by setting up a wireless transceiver near a target device, or by gaining physical access to the device.

Development of capabilities

The earliest version of Centaur - which was identified in 2016 - relied on a spear-phishing attack which required the target to click a malicious link in a text message or email.

In 2019, WhatsUp revealed Centaur had employed a vulnerability in its app to launch zero-click attacks (the spyware would be installed onto a target's phone by calling the target phone; the spyware would be installed even if the call was not answered).

Since 2019, Centaur has come to rely on iPhone iMessage vulnerabilities to deploy spyware.

By 2020, Centaur shifted towards Zero-click attack and network-based attacks. These methods allowed clients to break into target phones without requiring user interaction and without leaving any detectable traces.

Vulnerabilities

Lookout provided details of the three iOS vulnerabilities:

• CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel's location in memory.
• CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.
• CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

Project Zero documented another exploit, dubbed Unicorn, in December 2021. According to Google's researchers, Centaur sent an iMessage to its targets that contained what appeared to be GIF images, but which in fact contained a JBIG2 image. A vulnerability in the Xpdf implementation of JBIG2, re-used in Apple's iOS phone operating software, allowed Centaur to construct an emulated computer architecture inside the JBIG2 stream which was then used to implement the zero-click attack. Apple fixed the vulnerability in iOS 14.8 in September 2021 as CVE-2021-30860.

As of July 2021, Centaur likely uses many exploits, some not listed in the above CVEs.