A newly-released app lets you regularly scan your iPhone for Pegasus spyware – which can access almost all the data on a phone – for a one-off cost of just one dollar.
A mobile security firm created the app, which allows you to scan your iPhone or Android phone and send the results to them for analysis – and they’ve so far detected seven phones infected by the spyware …
NSO’s Pegasus spyware
NSO Group makes spyware called Pegasus. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted.
Victims aren’t just the obvious targets
Apple attempts to detect compromised iPhones and alert owners, but Wired reports that there’s now a way to proactively scan your own device.
On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company’s customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.
The company’s “Mobile Threat Hunting” feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection.
Top comment by CT
Suspicious. Especially since there’s so less information in how it exactly works.
The app is either ineffective due to lack of quality data (iOS is a locked down system, luckily) or the user has to provide massive amounts of sensitive information to a company of unknown reputation (copying crash logs, adding MDM/VPN profiles, etc.). In either case, I wouldn’t install the software, not even as a sysadmin for a company.
Besides, “machine learning” in cybersecurity is in most cases the wrong tool, especially if you don’t keep the human in the loop. On one hand you have to deal with limited training data. Labelled malware samples and IoCs are hard to get at the scales you need for training a good model. On the other hand, threat actors can use the same tools to fit their malware so that it doesn’t match the training set.
Pegasus attacks are most commonly made against people like political activists, journalists, lawyers, politicians, and CEOs. But iVerify says that the seven victims it found spanned a far broader cross-section of the population than would have been expected.
“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”
How to scan your iPhone for Pegasus spyware
iVerify is mostly pitching a subscription service to enterprise companies and other organizations, where devices are scanned on a continuous basis. But it’s also allowing individual smartphone owners to conduct monthly scans.
The company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month.
You can download the app here.
Image: 9to5Mac collage of images from iVerify and PxHere
FTC: We use income earning auto affiliate links. More.
Comments