Updated: Oct 25, 2021
As promised, here is our follow-up piece, on battling Pegasus from a detection and defense standpoint.
Detecting the Spywares Presence:
► It can prove to be difficult to detect this spywares presence if one isn’t looking for it specifically and even then, if we do not tread lightly, a tool of this level of sophistication contains self-destructing capabilities.
► To go ahead and check your own device for signs of Pegasus, it is necessary to do a forensic analysis of the phone and extract the data.
► The safest approaches to detect and further analyze Pegasus or any malware for that matter once suspicions arise is working on the mobile devices' forensic image.
From ‘Patient Zero,’ a Trail of Evidence
Upon doing some research, the most credible resource we've come across when it comes to fighting back against the Pegasus spyware is an in-depth analysis done by Amnesty International's technology team. They managed to get access to dozens of phones suspected to have been infected by this spyware.
The remaining portion of this paper will be a reflection over key takeaways from this analysis.
To start off; the team began its forensic analysis to detect Pegasus on the suspected devices by looking for the most obvious giveaway – the presence of malicious links in text messages. These links would lead to one of a series of domains used by NSO Group to download the spyware onto the phone – what’s known as the company’s infrastructure.
NSO Group also appeared to have originally used a series of fake email accounts to set up much of its infrastructure. Finding one of those accounts linked to a domain is additional evidence that it belongs to NSO Group.
“Patient zero” was a human rights activist from the United Arab Emirates named Ahmed Mansoor.
In 2016, Citizen Lab discovered that Mansoor’s phone had been hacked through malicious links offering “new secrets” about torture carried out by UAE authorities. Citizen Lab was able to show that the messages came from Pegasus.
Besides spotting some similarities between the patient zeros phone and the other mobile devices collected, the team also observed the presence of links to NSO’s network infrastructure. The most common malicious process besides the links and other similarities was a particular one called “Bridgehead”.
Even though Amnesty International, Citizen Lab, and others have primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks. Forensic evidence left behind by the Pegasus spyware provides another independent way to attribute these attacks to NSO Group’s technology.
The Amnesty team observed a definite pattern on infected devices: a website was browsed, an application failed, and some files were modified, all of which occurred in a matter of seconds or milliseconds. In all of the examples that they looked at, there is a consistency in the uniqueness of procedures.
How to Protect Yourself?
We need to be mindful of using specific strategies to secure our devices. Despite how undefeatable the Pegasus Spyware may seem; one must take measures to avoid infection.
For the Pegasus Spyware to work, the device it is targeting has to be compatible with its technology. This translates to compatibility with NSO groups’ technology system, which is the foundation for Pegasus.
Amnesty’s study found that particular iOS devices are more vulnerable than the others, mainly due to compatibility issues between the hardware and software of those devices. The positive note here is that if a device is not compatible with Pegasus; it will be unable to infect it.
Here's a cool infographic that gives a rundown on Pegasus.
Some of the more common approaches that can be taken by all of us are:
► Only downloading software from trusted sources.
► Reading all disclosures when installing software.
► Avoiding interactions with pop-up ads.
► Staying current with updates and patches for browser, operating system, and application software.
► Not opening email attachments or clicking on links from unknown senders.
► Using only trusted antivirus software and reputable spyware tools.
► Enabling two-factor authentication (2FA) whenever possible.
These are simple steps we can take to prevent ourselves from being exposed.