Check if Pegasus Spyware Targeted Your Phone

Revelations of Widespread Spyware Use

Recent investigations by an international coalition of news organizations have revealed that multiple governments with authoritarian tendencies – including Mexico, Morocco, and the United Arab Emirates – employed spyware created by NSO Group. This spyware was reportedly used to infiltrate the mobile phones of thousands of individuals.

Targets of Surveillance

Among those targeted were journalists, political activists, politicians, and business leaders who were vocal in their criticisms of these regimes. A substantial list, comprising 50,000 phone numbers potentially marked for surveillance, was acquired by Forbidden Stories, a Paris-based journalistic nonprofit, and Amnesty International.

Confirmation of Pegasus Spyware

The consortium, which included prominent publications like The Washington Post and The Guardian, meticulously analyzed the phones of numerous individuals identified on the list. Their analysis confirmed that these devices had indeed been targeted by Pegasus, NSO Group’s sophisticated spyware. Pegasus is capable of extracting all data stored on a compromised phone.

New Insights into NSO Group’s Clients

These reports also shed light on previously undisclosed details regarding the governments that are customers of NSO Group, information the company typically keeps confidential. Notably, Hungary, a European Union member state, was identified as a client.

Scale of Potential Surveillance

The investigations demonstrate the extensive scope of potential surveillance facilitated by NSO Group’s technology. Prior reports had indicated a smaller number of known victims, ranging from hundreds to over a thousand individuals.

NSO Group’s Response

NSO Group has strongly disputed the allegations. The company maintains that it lacks knowledge of who its customers target, a position it reiterated in a statement to TechCrunch.

Methods of Infection

Researchers from Amnesty International, collaborating with the Citizen Lab at the University of Toronto, discovered that Pegasus can be deployed in two primary ways. It can be delivered via a malicious link, which infects a phone when opened, or through a “zero-click” exploit.

This “zero-click” method silently compromises devices by exploiting vulnerabilities within the iPhone’s operating system. Citizen Lab researcher Bill Marczak noted that this zero-click capability functioned on iOS 14.6, the most current version available at the time.

Tools for Detection

Amnesty International’s researchers have published comprehensive technical documentation and a toolkit designed to assist individuals in determining whether their phones have been targeted by Pegasus.

The Mobile Verification Toolkit (MVT)

The Mobile Verification Toolkit, or MVT, is compatible with both iPhones and Android devices, though its functionality differs slightly between the two platforms. Amnesty International reports that detecting Pegasus on iPhones is generally easier due to the greater availability of forensic traces.

MVT allows users to analyze a full iPhone backup, or a complete system dump from a jailbroken device, for indicators of compromise (IOCs) associated with NSO Group’s infrastructure. These IOCs may manifest as domain names sent via text message or email.

Furthermore, MVT can decrypt encrypted iPhone backups without requiring the creation of a new copy.

Using the Toolkit

The toolkit operates through the command line, requiring some familiarity with terminal navigation. Initial setup took approximately 10 minutes, excluding the time needed to create a recent iPhone backup. Regularly updating the Amnesty International IOCs is crucial for accurate scanning.

The scanning process itself is relatively quick, taking about a minute or two to complete. The toolkit generates several files containing the scan results. Any potential compromises are flagged within these output files.

During testing, one initial “detection” was identified as a false positive and subsequently removed from the IOCs after verification with Amnesty researchers. A subsequent scan using the updated IOCs revealed no signs of compromise.

Android Device Scanning

For Android devices, MVT employs a simpler approach, scanning backups for text messages containing links to domains known to be used by NSO Group. The toolkit also facilitates the identification of potentially malicious applications installed on the device.

Accessibility and Future Development

While currently command-line based, the toolkit is relatively straightforward to use. Its open-source nature suggests that a more user-friendly interface may be developed in the future. Detailed documentation is available to assist users throughout the process.

Updated on September 17 with updated links to the documentation. Secure communication channels are available via Signal and WhatsApp at +1 646-755-8849, and through SecureDrop for file submissions.