Detecting and Protecting Your Smartphone From Pegasus Spyware

What is Pegasus?

The spyware Pegasus has been attributed to the NSO Group, an Israeli company. According to recent reports, this spyware has been used to facilitate human rights violations worldwide on a massive scale. This is a program that allows the attacker to access the infected smartphone’s microphone and camera. One can even gain access to messages, emails and collect location data, giving near-complete access to one’s smartphone. The malware is commercial and sold to anyone who is willing to pay. It secretly roots a target’s mobile phone and turns it into a listening device. NSO said that it licenses the tool exclusively to government agencies to combat terrorism and other serious crimes. As per the NSO Group, the program has been sold only to fight against terrorism and crime. The Kaspersky report mentioned that Pegasus was discovered by Ahmed Mansoor in 2017, a UAE human rights activist. He happened to be one of its targets through spear-phishing attacks.

How Does It Infect Your Smartphone?

WhatsApp is recognized as an extremely secure platform, but it cannot prevent its users from being attacked by the Pegasus spyware. Pegasus was originally used to gain unlimited nearby access to a mobile phone through a malicious network link through a message or email attempted on Ahmed Mansoor. Once a user clicks on the link, Pegasus is automatically installed on the phone. The spyware has also gained some new capabilities. Researchers have discovered that a phone can be immediately infected with Pegasus just by calling via WhatsApp. The device will still get infected even if users did not pick up the call, and make it zero-click spyware without any input from a victim. Moreover, once it has access to the device, it can delete the entire history of the call log which prevents the victim from knowing that their phone was a target of the spyware. On Android devices, Pegasus does not rely on zero-day vulnerabilities. Instead, it uses a well-known rooting method called Framaroot, which leaves the victim unable to detect any issues. For iOS, it is allowed to jailbreak the device and automatically install surveillance software based on three zero-day vulnerabilities.

How To Tell If Your Phone Has Been Affected?

This malware is designed to evade forensic analysis, detection by anti-virus software, and has self-destruction features. Kaspersky researchers called it a ‘tool for total surveillance.’ Pegasus spyware is nearly impossible to detect. After it is uninstalled, it doesn’t leave any trace, and there is no way to tell whether the device was affected in the past. Your phone will not show any lags or visible signs when it is infected by Pegasus. One way to find out if you are infected with Pegasus is to use WhatsApp. The application requests users to immediately update to the latest version after sending an alert message to the list of affected users. So far, messages from WhatsApp and Citizen Lab are the only visible indicator that tells you if your phone is affected. Another method to discover if you have been infected by the spyware on Android mobiles is to check if your device has been rooted without your knowledge using any root reviewing the application.

Prevention/Staying Safe

Many cybersecurity analysts and experts have suggested that the only way to completely eliminate Pegasus is to dispose of the infected phone. As reported by the Citizen Lab, even factory resetting your smartphone will not change anything because it cannot completely remove the spyware. The attackers are still capable of continuing to access your online accounts even after your device is no longer infected. To ensure your online accounts are safe, change the passwords of all the applications and services you use on the infected device.

Diagnosis for Presence of Pegasus Spyware

• Monitor changes in the daily data usage (The data usage will be higher if the phone is infected with spyware)
• Check for any unknown WhatsApp missed calls.
• Check for the unknown applications & processes running in the background.
• Sudden battery drainage.
• Poor and slow performance of your device.
• Check for permissions of camera and microphone for unintended applications using these permissions.
• WhatsApp alerts are important; WhatsApp will send regular alerts for updates.
• Check whether the phone has been rooted (or jailbroken, in case of iPhones).
• Other applications crash more often.

Mitigation

• To detect the presence of Pegasus spyware, users can deploy the Mobile Verification Toolkit (MVT). This tool works well on both Android and iOS devices.
• It is developed by Amnesty International, and it’s a technical and command line or terminal-based tool.
• First, it creates an encrypted backup by using either iTunes or Finder on a Mac or PC.
• After you have backed up and encrypted your data, if you’re using a Mac to run the check, you’ll initially need to install both Xcode (easily downloaded from the App Store) and Python3 before you get it to work. The easiest way to obtain Python3 is to use a program called Homebrew, which can be installed and run from the Terminal. After you install them, you’ll be ready to go through Amnesty’s iOS instructions.
• The indicator of the corrupted files is called out while running the actual scan, which Amnesty has provided the pegasus.stix2. file format.
• Eventually, it will list the suspicious files after the MVT is being run, but it may not confirm yet whether you have a spyware infection or not.

Prevention from Pegasus Spyware

• Don’t open any suspicious or malicious files and links; only open the links and files received from trusted sources.
• Avoid using public and free WiFi Services; even if you are accessing them to use VPN (Virtual Private Network).
• Limit the physical access of your devices.
• Always make sure that all the applications and phone operating systems are updated with relevant patches and updates.
• Encrypt your critical data.
• Use distinctive, strong, and hard-to-guess passwords for each device.
• Install a security solution such as antivirus software on each of your devices.
• Beware of phishing attacks. If you receive a link from an unknown source, do not click the link.