Clickless Exploit

I've read and heard about the NSO Pegasus exploit, also a zero-click exploit against What's App. For several years now I've gotten random phone calls that wouldn't even wait for me to pick up. I've been concerned about it because I have positive evidence that I'm a frequent target of attack due to my career. I didn't think too much about it because as an offensive security professional I could not think of what the attacker could do?

Were they just leaving that number in my phone to see if they could validate it later?

Did they mean to trigger a dns or web lookup back to their domain to get my IP or location?

I found the MVT tool and was digging a bit deeper. When those calls come in, and ONLY when those calls come in, I get this "MagicalMoments" entry that I can extract from backup:

2021-09-10 15:06:59.244415,Calls,call,From b'+1734375****' using com.apple.Telephony during 0.0 seconds

2021-09-10 15:06:59.340734,InteractionC,start_date,[com.apple.InCallService] None - from +1 (734) 375-**** (+1734375****') to None (None): None

2021-09-10 15:06:59.533726,InteractionC,interactions_creation_date,[com.apple.InCallService] None - from +1 (734) 375-**** (+1734375****') to None (None): None

2021-09-10 15:06:59.533772,InteractionC,contacts_creation_date,[com.apple.InCallService] None - from +1 (734) 375-**** (+1734375****') to None (None): None

2021-09-10 15:07:00.000000,Manifest,M-CB,Library/Preferences/com.apple.CommCenter.counts.plist - WirelessDomain

2021-09-10 15:07:00.000000,Manifest,M-CB,Library/Preferences/com.apple.DuetExpertCenter.MagicalMoments.plist - HomeDomain

2021-09-10 15:07:00.000000,Manifest,M-CB,Library/Preferences/com.apple.coreservices.useractivityd.dynamicuseractivites.plist - HomeDomain

2021-09-10 15:07:00.000000,Manifest,M-CB,Library/Preferences/com.apple.contextstored.plist - HomeDomain

2021-09-10 15:07:07.000000,Manifest,--C-,Library/Calendar/Calendar.sqlitedb - HomeDomain

grep "Calls,call,From" timeline.csv --after=8

I tried looking up information on the web about it but it only gets more and more suspicious - folks that can't compile because it isn't signed, other folks that are having trouble with their battery due to it, and another who just wonders if he's a target for attack. The nexxus of issues around this makes me suspicious about it, but more I'm trying to figure out how to read what got put in there (I'm imagining someone able to load some unreadable bytes in a falsified inbound caller ID and using that to inject some bytes into this forgotten module that then unleashes badness)

I got this far:

mvt-ios decrypt-backup <backuplocation> -d ~/Documents/decrypt

mvt-ios check-backup ~/Documents/decrypt -o ~/Documents/mvt

cd ~/Documents/mvt

sqlite3 Manifest.db

.schema

select * from Files where relativePath like '%Magical%';

d1d5c76d198cdfb122efdca5eb0bffbaf4a50253|HomeDomain|Library/Preferences/com.apple.DuetExpertCenter.MagicalMoments.plist|1|bplist00?

X$versionY$archiverT$topX$objects

cd d1

cat d1d5*

X$versionY$archiverT$topX$objects??_NSKeyedArchiver? Troot??

_trackIdentifierV$classYpauseTimeXbundleIdXplayTime?????P?NS.time#A?u?? ??5?? Z$classnameX$classesVNSDate?!XNSObject?#$_PMMMusicContainer?%!_PMMMusicContaine$)27ILQSZ`k}?????????????????????

&O?bplist00?

X$versionY$archiverT$topX$objects??_NSKeyedArchiver? Troot??

I'd like to read this file in the native plist format to learn more. My question is how?

defaults read ./d1d5c76d198cdfb122efdca5eb0bffbaf4a50253

2021-09-10 10:50:03.282 defaults[11657:147840]

Domain ./d1d5c76d198cdfb122efdca5eb0bffbaf4a50253 does not exist

[Personal Information Edited by Moderator]