in recent years, Commercial spyware has been deployed by Other actors Against A Wide range of victimsBut the prevailing narrative has still been that malware is used in targeted attacks against someone A very small number At the same time, however, it has become difficult for people to test devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that use forensic techniques to detect mobile spyware. are on the front lines of development. On Tuesday, mobile device security firm iVerify Published research From a spyware detection feature it was launched in May. Of the 2,500 device scans that the company’s customers chose to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.
The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, forensics and machine learning to detect anomalies in iOS and Android device activity or telltale signs of spyware infection. For iVerify paying customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can take steps to generate and send a special diagnostic utility file to receive iVerify and analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is designed to preserve privacy, but to run the mobile threat hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware. is — as it was in seven recent Pegasus discoveries. .
“What’s really interesting is that the people who were targeted were not just journalists and activists, but business leaders, people running businesses, people in government positions,” said Rocky Cole, chief operating officer of iVerify. Officials and former US National Security Agency officials say. Analyst “This looks a lot more like your average piece of malware or the targeting profile of your average APT group than it does the narrative that mercenary spyware is being misused to target activists. It is doing so, absolutely, but it was surprising to find this cross section of society.
Seven out of 2,500 scans may seem like a small group, especially among the somewhat self-selecting customer base of iVerify users, whether paid or free, who want to absolutely monitor their mobile device security, especially and rarely check for spyware. But the fact that the tool has already found a handful of infections shows just how widespread the use of spyware has become around the world. Having an easy tool to diagnose spyware compromises can expand the picture of how often such malware is being used.
“NSO Group markets its products exclusively to intelligence and law enforcement agencies in the United States and Israel. Our customers use these technologies daily,” NSO Group spokesman Gil Lehner told Wired in a statement. .”
Matthias Frelingsdorff, vice president of iVerify Research, will present the group’s Pegasus findings at the Objective by the Sea security conference in Maui, Hawaii, on Friday. He says that developing the search tool requires significant investment because mobile operating systems such as Android, and especially iOS, are more locked down than traditional desktop operating systems. are and do not allow monitoring software kernel access to the core of the system. Cole says the key insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for the search. Some spyware, such as Pegasus, also has special features that make it easy to flag. In seven searches, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is modifying mobile monitoring tools to reduce false positives.
Developing research capabilities has already been invaluable, however. Cole says this helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannu, a lawyer and Sikh political activist who was the target of the attack. Allegedly, the assassination attempt was foiled By an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspicious nation state activity on the mobile devices of two Harris-Wallace campaign officials—a senior member of the campaign and a member of the IT department—during the presidential race.
“The age of assuming that iPhones and Android phones are secure out of the box is over,” says Cole. “The capabilities to know if your phone has spyware were not extensive. There were technical hurdles and it was holding a lot of people back. Now you have the ability to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative. “
Updated at 12:12 pm EST, December 4, 2024 to include a statement from the NSO Group.
Updated December 4, 2024 at 2 p.m. EST to include additional details on how iVerify’s tool detects spyware.
