A 507-page leaked document from an Apple lawsuit against Corellium alleges the cybersecurity firm of copyright infringement and intentionally compromising user data with an iOS tool. The document claims the firm sold the software to spyware and malware distributors, including the NSO Group—creators of the infamous Pegasus spyware—DarkMatter, Paragon, and Pwnzen Infotech.
Failing to prove the copyright infringement claims against Corellium, which were based on the Digital Millenium Copyright Act, Apple settled out of court in 2020. However, the settlement terms remain confidential.
Corellium is a cybersecurity firm specializing in creating iOS and Android virtualized systems. These systems help researchers conduct security testing on devices, like iPhones, without actually buying them.
But, in 2019, when it created and sold duplicate iOS systems, Apple sued the firm for copyright infringement. Confident in the security of its operating system, Apple had offered a $1 million bug bounty to anyone who could find gaps in it.
According to the leaked document, Correlium’s virtualization technology went beyond security testing, and violated users’ privacy. An excerpt from the document alleges:
|“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement…Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”|
Direct Emails to Banned Surveillance Firms
Basing its lawsuit on copyright infringement claims, Apple asserted Corellium had no license to duplicate the iOS infrastructure and to virtualize it for its customers. It requested the court to stop Corellium from selling and marketing Apple’s software. However, copyright infringement isn’t the only claim the document makes against Corellium.
While the parties settled the copyright infringement case in 2020, journalists at Wired recently obtained a leaked document from the lawsuit, which show Corellium’s business dealings with spyware makers and governments for surveillance.
In connection to these claims, the document offers some evidence. It includes emails from Corellium to known spyware and malware creators with dubious government connections. These governments have a poor human rights track record.
An employee from Corellium sent the following email to the NSO group, dated March 26th, 2019:
|“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer…Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”|
NSO Group, DarkMatter, Paragon & Pwnzen Infotech
The lawsuit document shows Corellium’s contact with many other malicious actors. However, two of the most prominent include, the NSO Group and DarkMatter.
Since 2019, DarkMatter has rebranded twice: first to Digital14 and currently to CPX. The group helped the UAE government track journalists and human rights activists.
NSO Group is an Israeli technology firm which created Pegasus. Pegasus is a zero-click spyware that can remotely track mobile phones. NSO claims to assist the Isreali government in fighting crime.
However, numerous reports show its use in tracking citizens of other countries. Apple, WhatsApp, and Facebook have all filed lawsuits against NSO. NSO employs former military contractors mostly.
In addition, the lawsuit mentions Paragon and Pwnzen Infotech. Paragon reportedly provide government surveillance technology. And, Pwnzen Infotech’s founders were a part of Pangu Team—a group of elite cybercriminals.
According to Reuters, a Pwnzen sales representative claimed the company used Corellium’s technology to remotely hack into a suspect’s phone. The Chinese government accused the suspect of subversive activities.
Worrying Implications for Small Businesses, Individuals & Enterprises
Unfortunately, cybersecurity scandals are becoming increasingly common. Corellium openly advertised itself as a cybersecurity firm. Meanwhile, it was in open contact with known cybercriminal organizations.
Moreover, this case signifies that the line between a surveillance technology firm and a cybersecurity firm is getting thinner. A cybersecurity firm that sells its data to surveillance firms, that have ties with repressive governments, defeats the goal of cybersecurity. Further, it demonstrates a lack of transparency and a distinct conflict of interest.
The question right now is whether Corellium designed its virtualization technology for capturing and selling user information. That would mean it had malicious intent, a claim Apple was arguing in its lawsuit.
And, even if it didn’t design it for that purpose, it was in contact with blackhat organizations like the NSO Group and others. The case sets an extremely worrying precedent of cybersecurity firms exploiting users’ trust.
Protection against Cyber Security Scandals
Businesses can maximize their security against cybercrimes by conducting regular security checkups, updates, and hiring certified security teams.
Additionally, businesses need to uninstall all malware and spyware from their devices. They should also stay updated on cybersecurity trends and software.
Since data security laws differ for different industries, like medicine, finance, law, and insurance, businesses need specific security protocols to protect their sensitive data. Moreover, business owners need to use Virtual Private Network (VPN) that align with their business.
For individuals, it’s important to maintain mobile phone security. Court records show that instant messaging applications aren’t safe and phones are easy targets for a variety of attacks. To protect against them, experts recommend avoiding sensitive information on the phone.
Making Sense of the Corellium Case
Although Corellium claimed to assist the Android and iOS operating systems in patching security issues, its practices are in clear violation of privacy protocols.
Using Corellium’s technology, cybercriminals exploited security vulnerabilities in users’ devices. Fully aware of the use of its technology, the firm sold it to oppressive governments that used it to target dissidents.
Corellium was also actively engaged in business with many gray and blackhat actors. The copyright infringement lawsuit from Apple might be the least of its worries, as news about its shady practices spreads.