Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Detecting infection traces from Pegasus and other APTs can be tricky, complicated by iOS and Android security features.

Costin Raiu, Global Director, Kaspersky GReAT

January 13, 2022

5 Min Read
Silhouette of a person holding a tablet and standing at a window looking out over a city skyline.
Source: Anucha Cheechang via Shutterstock

One of the biggest stories of 2021 — an investigation by the Guardian and 16 other media organizations, published in mid-July — suggested that over 30,000 human rights activists, journalists, and lawyers across the world may have been targeted using Pegasus. The list of targeted individuals includes world leaders and many activists, human rights advocates, dissidents, and opposition figures. The report, called the Pegasus Project, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero days.

Most recently, Amnesty International identified Pegasus in use against "journalists and members of civil society organizations" in El Salvador.

Based on forensic analysis of numerous mobile devices, Amnesty International’s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. Over the past year, representatives from the Israeli government visited NSO’s Herzliya office to investigate the claims, and India’s Supreme Court commissioned a technical committee to investigate the national government’s use of Pegasus to spy on its own citizens. In November, Apple announced that it was taking legal action against NSO Group for developing software that targets its users with “malicious malware and spyware.” And in December, Reuters published that several US State Department iPhones were hacked using NSO Pegasus malware.

Detecting infection traces from Pegasus and other advanced mobile malware is very tricky, and it’s complicated by the security features of modern OSs like iOS and Android. Based on our observations, this is further obscured by the deployment of non-persistent malware, which leaves almost no traces after reboot. Many forensics frameworks require a device jailbreak, which results in the malware being removed from memory during the reboot, thus destroying evidence. Currently, several methods can detect Pegasus and other mobile malware. The free, open source MVT (Mobile Verification Toolkit) from Amnesty International allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of indicators of compromise (IoCs) collected from high-profile cases and made available by Amnesty International.

Everyone wants to know how to protect their mobile devices from Pegasus and other similar tools and malware. We pulled together some recommendations in this Tech Tip, with the caveat that it is not an exhaustive list. Attack techniques are always evolving, and so must defenses. Go check out the list — and then come back here to keep reading.

I Want My Money Back, Costin — I Did All You Recommended and Still Got Infected!
So you followed all these recommendations carefully and still got infected. Sadly, this is the reality we live in nowadays. I feel for you, really. You may not be a bad guy at all — on the contrary, I’m sure you’re one of the good guys. Perhaps you spoke against powerful people, or participated in some protests against a questionable decision from certain political figures, or simply used encryption software or been in the wrong place at the wrong time. Look on the bright side — you know you’ve been infected, because artifacts and knowledge allowed you to determine that.

Think of the following things:

  1. Who targeted you and why? Try to figure out what it was that brought you to the attention of the big guys. Is this something that you can avoid in the future through more stealthy behavior?

  2. Can you speak about it? The thing that eventually brought down many surveillance companies was bad publicity: reporters writing about abuses and exposing the lies, the wrongdoing, and all the evil. If you’ve been targeted, try to find a journalist and tell them your story.

  3. Change your device. If you were on iOS, try moving to Android for a while. If you were on Android, move to iOS. This might confuse attackers for some time; for instance, some threat actors are known to have purchased exploitation systems that only work on a certain brand of phone and OS.

  4. Get a secondary device, preferably running GrapheneOS, for secure comms. Use a prepaid card in it, or only connect by Wi-Fi and TOR while in airplane mode. Avoid messengers where you need to provide your contacts with your phone number. Once an attacker has your phone number they can easily target you across many different messengers via this: iMessage, WhatsApp, Signal, Telegram — they are all tied to your phone number. An interesting new choice here is Session, which automatically routes your messages through an Onion-style network and doesn’t rely on phone numbers.

  5. Get in touch with a security researcher in your area and discuss best practices frequently. Share artifacts, suspicious messages, or logs whenever you think something is odd. Security is never a single snapshot solution that is 100% hackproof; think of it like a stream that flows, and you need to adjust your sailing depending on the speed, currents, and obstacles.

At the end of this, I’d like to leave you with a thought. If you get targeted by nation-states, that means you are important. Remember: it’s nice to be important, but it’s more important to be nice. Alone, we are weak; together, we are strong. The world may be broken, but I believe we are living at a time when we can still change things. According to a report from the nonprofit group Committee to Protect Journalists, 293 journalists were imprisoned in 2021, the highest number CPJ has ever reported since it started tracking it back in 1992. It’s up to us to shape how the world will look like for us in 10 years, for our children, and for our children’s children.

You, the people, have the power to make this life free and beautiful, to make this life a wonderful adventure. Then — in the name of democracy — let us use that power — let us all unite. … Let us fight to free the world — to do away with national barriers — to do away with greed, with hate and intolerance. Let us fight for a world of reason, a world where science and progress will lead to all men’s happiness. Soldiers! In the name of democracy, let us all unite!
— Final speech from The Great Dictator

About the Author(s)

Costin Raiu

Global Director, Kaspersky GReAT

Costin Raiu specializes in analyzing advanced persistent threats and high-level malware attacks. He is leading the Global Research & Analysis Team (GReAT) at Kaspersky that researched the inner workings of Stuxnet, Duqu, Carbanak and more recently, Lazarus, BlueNoroff, Moonlight Maze and the Equation group. Costin’s work includes analyzing malicious websites, exploits and online banking malware.

Costin has more than 25 years of experience in anti-virus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO) and a reporter for the Wildlist Organization International. Before joining Kaspersky, Costin worked for GeCad as Chief Researcher and as a Data Security Expert with the RAV antivirus developers group.

Some of his hobbies include chess, photography and science fiction literature.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights