New Spyware Phone Scanner Already Detects 7 Pegasus Infections

In recent years, Commercial spyware has been used by more players against a wider number of victims, but the prevailing narrative is that malware is used in targeted attacks on a much smaller number of people. At the same time, however, it has become difficult to test devices for infection, leading people to turn to a temporary chain of academic institutions and NGOs that have been at the forefront of developing research techniques to detect mobile spyware. On Tuesday, mobile device security company Verify published the findings of a spyware detection feature launched in May. Of the 2,500 testing devices the company’s customers chose to submit for testing, seven revealed infections with NSO Group’s popular Pegasus malware.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool constantly scans devices for potential vulnerabilities. But the company also offers a free version of the feature to anyone who downloads the iVerify Basics app for $1. These users can go through the steps of generating and submitting a special diagnostic utility file to iVerify and receive an analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is designed to maintain privacy, but in order to use the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up a spy—as happened in the latest Pegasus discovery. .

“The most interesting thing is that the people who were targeted were not only journalists and activists, but business leaders, people who run businesses, people in government positions,” said Rocky Cole, CEO of iVerify and former US National Security Agency. the analyst. “It looks a lot more like the target profile of your average malware or your average APT group than the narrative that’s been out there that mercenary spyware is being exploited to target activists. It does, of course, but this part of the community has been surprising to find. “

Seven out of 2,500 scans may sound like a small group, especially for customers who choose iVerify users, whether paid or free, who want to monitor their mobile device’s security at all, let alone check for spyware. But the fact that this tool has received so few infections at all speaks to how widespread the use of spyware is around the world. Having a simple spyware detection tool can increase the picture of how often this malware is used.

“NSO Group sells its products to intelligence and law enforcement agencies affiliated with the US & Israel,” NSO Group spokesperson Gil Lainer told WIRED in a statement. “Our customers use this technology every day.”

iVerify says it took a significant investment to develop the detection tool because mobile operating systems such as Android, and especially iOS, are more closed than traditional desktop applications and do not allow monitoring software to have kernel access to the heart of the system. Cole says a key insight was to use telemetry taken as close to the kernel as possible to tune machine learning models for detection. Another spy, like Pegasus, also has features that make it easy to flag. In seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, lies in refining mobile surveillance tools to reduce false positives.

Improving the ability to see is already very useful, however. Cole says it helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was targeted for death by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged the country’s alleged activity on the mobile devices of two Harris-Walz campaign officials—a senior campaign member and a member of the IT department—during the presidential race.

“The era of thinking that iPhones and Android phones are safe out of the box is over,” Cole said. “The kinds of skills to know if your phone has spyware weren’t widespread yet. There were technical barriers and it left a lot of people behind. Now you have the ability to know if your phone is infected with commercial spyware. And the level is much higher than the existing history.”

Updated at 12:12 pm EST, December 4, 2024, to include a statement from NSO Group.