How to detect Pegasus Spyware on iPhone and Android?

Amnesty International, which is part of a group that helps journalists and heads of state targeted by State-owned NSO spying software such as Pegasus spread the news, has released a tool to check whether your phone is affected by the attack. The tool allows you to back up your phone to a separate computer and then check in manually. It has a large set of instructions to help you through the technical testing process.  

If you’ve been monitoring your phone since the news broke and looking for instruction on how to use amnesty, read on. The first thing to note is that this tool is based on command line terminal, so it requires a certain amount of technical skill and a little patience to get up and running. We tried to cover a lot of what you need to know to run it, so you know it before the jump.    

Amnesty researchers presented their work by publishing detailed technical notes and a toolkit to help others identify their phones as targets of Pegasus. The toolkit works on both iPhone and Android devices. Amnesty says more forensic evidence can be found on Android and iOS devices, making it easier to detect the iPhone. 

If you have an encrypted iPhone backup, you can use MVT to decrypt it without making a brand new copy. With MVT, you can create a full iPhone backup or complete system dump if you jailbreak your phone. You can also feed in indicators for compromised IOCs used by NSO to deliver Pegasus such as domain names used as NSO infrastructure for sending SMS and e-mails. 

The toolkit works on the command line, but it is not the most sophisticated or sophisticated user experience and requires some basic knowledge of how to navigate a terminal.  

Once it’s ready to scan your phone and sign up to Pegasus, you’ll need to feed Amnesty’s IoCs from its GitHub site. Once you have set up the process, it scans your iPhone for backup files and compromises. This takes one to two minutes and spits out several files and folders from the results of the scan. We got it up and running in about 10 minutes, but it’s always time to make a fresh backup of the iPhone if you want, and you’ll want to check in every hour or so. Over time, there will be indicators that compromised files have been updated or downloaded, so use the most recent copy.   

If the toolkit finds a possible compromise, it would indicate this in the output file. In our case, we obtained proof that turned out to be false positive and removed the IOCs that we reviewed with Amnesty and the researchers. A new scan with updated IOCs showed no signs of compromise. 

Why was Pegasus in the news?

Over the weekend, an international consortium of news agencies reported that several authoritarian governments, including Mexico, Morocco, and the United Arab Emirates, used spyware developed by the NSO Group to hack the phones of thousands of its most vocal critics, including journalists, activists, politicians, and business leaders. A leaked list of 50,000 phone numbers of potential surveillance targets was obtained and shared with the consortium by the Paris-based journalism organization Forbidden Stories and Amnesty International. Researchers analysed the phones of dozens of victims and confirmed they had been targeted by the software.  

The report also confirmed new details about the governments and customers that NSO Group is wary of. Ungarn is mentioned as an NSO customer of the European Union member where privacy and surveillance are said to be a fundamental right of 500 million citizens of the EU. The company says it does not know which of its customers were targeted, and it reiterated this in a statement to TechCrunch on Monday. NSO has denied claims that it was behind the attacks.  

The alleged use of spyware developed by an Israeli software company NSO Group to spy journalists, human rights activists, politicians and others in a number of countries, including India has raised privacy concerns. An investigation of the Pegasus Project by the International Media Consortium found that more than 50,000 phone numbers were targeted by the software. Politicians, human rights activists and journalists were targeted by telephone espionage sold by the company to various governments, according to the consortium. The list of 300 verified phone numbers in India includes ministers, opposition leaders, a sitting judge, more than 40 journalists, several activists and businessmen. Amid furious controversy over NSO, the company has defended itself, saying millions of people throughout the world sleep in the night without walking down the street because such technology is available to intelligence and law enforcement agencies. 

What is Pegasus Spyware?

Pegasus is a hacker software and spyware developed for the market and licensed by Israel’s NSO Group to governments around the world. It has the ability to infect billions of phones running the iOS and Android operating systems.

It is designed to infiltrate smartphones, both Android and iOS, and turn them into surveillance devices. Israeli companies market it as a tool to track criminals, terrorists and spy targets, not for mass surveillance.  

According to a price list from 2016 NSO Group customers are charged $650,000 for breaking into 10 devices, plus an installation fee of $500,000. A single license that can infect multiple smartphones costs $70. The company also sells the software to governments. 

How does Pegasus work?

Pegasus infections are achieved through so-called zero-click attacks, which do not require interaction with the owner of the phone to be successful. Instead, they exploit zero-day vulnerabilities – bugs or bugs in operating systems that their vendors either did not know about or were unable to fix.    

In 2019, WhatsApp revealed that NSO software was used to send malware to over 1,400 phones by exploiting a zero-day vulnerability. By placing a WhatsApp call on the target device, malicious code was installed on the phone, even though the phone never answered the call. NSO later began exploiting a vulnerability in Apple’s iMessage software that gave it backdoor access to hundreds of millions of iPhones. Apple said it has since updated its software to prevent such attacks.    

Pegasus works in a frightening way because it is based on so-called zero-click hacking. A lot of traditional spyware requires you to click on a spam link to do something right.  

Zero clicks means you become vulnerable if you do nothing. When you open a document, enter your computer. You also get bad texts and emails.   

One of the scary things about our investigation of Apple’s iPhones is that you’re still vulnerable if you don’t have a way to update them to the latest generation of iPhones. We conducted some tests and found forensic evidence of actual hacks on some of the newer iPhones. Pegasus is a symbol of how sophisticated the spyware industry has become. 

While other spyware ensures future surveillance and partial communications, NSO says, Pegasus allows existing (including historical) data to be extracted from the device to create a more comprehensive and accurate intelligence picture. The initial extraction sends SMS records, contact and call logs, logs, e-mail messages, browsing history and command and control servers. Because Pegasus monitors and retrieves new data in real time from configured infected devices it provides a whole range of active collection features that allow attackers to target a target in real time and recover unique information about the target, environment and destination.  

GPS-based positioning (GPS) can be disabled at the destination, or Pegasus can enable GPS scanning by turning GPS off. However, the GPS signal is still accessible and the mobile phone IDs can be retrieved.    

Photos taken with the front and rear cameras can be used by Pegasus to determine whether the phone is in hibernation. Pegasus can determine whether a phone is in hibernation by turning on the microphone for incoming or silent calls. Actions aimed at turning off the phone screen, leading to immediate hanging up or ending of the call, can be recorded.   

The quality of the photos can be predetermined by the attacker to reduce data consumption and ensure faster transmission. NSO warns that the flash should never be used when the phone is in motion or in a dimly lit room, and that photos should be timed and focused. Typically, alerts can specify a number of conditions for real-time actions such as geo-fencing alerts when a target enters or leaves a defined location, meeting alerts when two devices share the same location or connection, alerts when calls or messages are sent or received, specific numbers and content warnings and certain words used in messages.   

The transmitted data is encrypted with symmetrical encryption (AES-128 bit). According to NSO, special care is taken to ensure the Pegasus uses minimal data, battery and storage and the target is not suspicious. This is why Wi-Fi connections are preferred for transmitting the collected data.  

If a transfer is not possible, NSO stores the collected data in a hidden encrypted buffer that should not exceed 5 percent of the free space on the device. Data transmission is stopped when the battery level is low or the destination is roaming. In rare cases, transmission is possible over a secure channel, where the attacker collects urgent data via SMS, but this is warned that NSO costs appear on the target’s phone bill. NSO says it puts extra thought into compression methods, focusing on transferring text content as much as possible to minimize data footprint and ensure minimal impact on target’s “cellular data plan.    

The entire communication between Pegasus and the central server takes place via the Pegasus Anonymized Transmission Network (PATN), which makes it impossible to trace the origin. According to NSO, PATN nodes can be distributed around the world and redirect Pegasus connections to the server in various ways.