In the ongoing trial between WhatsApp and spy software company NSO Group, new information has emerged regarding a previously unknown method of infection. The NSO contract with the Ghana telecommunication regulator includes a technology called “MMS FingerPrint,” which is classified as a tool for facilitating infection. According to NSO, this method can identify the target device and operating system without any interaction or message opening from the user, and it can be used against Android, BlackBerry, and iOS devices.
The “MMS FingerPrint” technology has caught the attention of Katal MacDade, Vice President of Technology at Swedish telecommunications safety firm ENEA. MacDade has decided to conduct a study on this method for more details. In the study, MacDade focused on the MMS exchange process, which is described as “random.” It was discovered that when obtaining an MMS message through HTTP GET, the request for the URL contained in the message being waited for is transmitted regarding the user’s device. This allows for the “shooting” of the MMS fingerprint.
ENEA performed tests and successfully forced the target device to complete the GET request for the URL on their controlled server. The request revealed the USREAGEGENT and X-WAP-Profile devices, which provide information about the device’s operating system, model, and the UAPROF file (user agent profile) that describes the capabilities of a mobile phone. ENEA was able to conceal this process by changing the binary SMS element to a silent SMS, preventing the MMS contents from being displayed on the target device.
While the presented description outlines a potential method of infection rather than the device vulnerability itself, the obtained information could simplify future attacks. Attackers can utilize this data to exploit specific vulnerabilities, adapt malicious software to suit the recipient’s device, or enhance the organization of phishing campaigns.
Although this method remains theoretical, ENEA has demonstrated that the “MMS FingerPrint” method is functional. However, there have been no confirmed instances of its use in the wild. The company acknowledges that it does not have access to data from all mobile network operators worldwide. Additionally, local mobile networks may block this method, and subscribers have the option to disable automatic receipt of MMS on their devices to protect themselves from other MMS exploits such as Stagefright.