Detecting infection traces from Pegasus and other APTs can be tricky, complicated by iOS and Android security features.
One of the biggest stories of 2021 — an investigation by the Guardian and 16 other media organizations, published in mid-July — suggested that over 30,000 human rights activists, journalists, and lawyers across the world may have been targeted using Pegasus. The list of targeted individuals includes world leaders and many activists, human rights advocates, dissidents, and opposition figures. The report, called the Pegasus Project, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero days.
Most recently, Amnesty International identified Pegasus in use against “journalists and members of civil society organizations” in El Salvador.
Based on forensic analysis of numerous mobile devices, Amnesty International’s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. Over the past year, representatives from the Israeli government visited NSO’s Herzliya office to investigate the claims, and India’s Supreme Court commissioned a technical committee to investigate the national government’s use of Pegasus to spy on its own citizens. In November, Apple announced that it was taking legal action against NSO Group for developing software that targets its users with “malicious malware and spyware.” And in December, Reuters published that several US State Department iPhones were hacked using NSO Pegasus malware.
Detecting infection traces from Pegasus and other advanced mobile malware is very tricky, and it’s complicated by the security features of modern OSs like iOS and Android. Based on our observations, this is further obscured by the deployment of non-persistent malware, which leaves almost no traces after reboot. Many forensics frameworks require a device jailbreak, which results in the malware being removed from memory during the reboot, thus destroying evidence. Currently, several methods can detect Pegasus and other mobile malware. The free, open source MVT (Mobile Verification Toolkit) from Amnesty International allows technologists and investigators to inspect mobile phones for signs of infection. Read more: https://bit.ly/3fpnID6