The Pegasus Project

The Pegasus Project Turns the Spotlight on Israeli Spyware Firm NSO Group

The NSO’s Spyware sold to authoritarian regimes is used to target activists, politicians and journalists.

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by 17 media organizations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.

Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones. The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016. Forbidden Stories, a Paris-based non-profit media organization, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.

Once “infected”, your phone becomes your worst enemy

The Pegasus project poses urgent questions about the privatization of the surveillance industry and the lack of safeguards for citizens. This is a worldwide scandal, a global web of surveillance whose scope is without precedent. The attack is invisible. Once “infected”, your phone becomes your worst enemy. From within your pocket, it instantly betrays your secrets and delivers your private conversations, your personal photos, nearly everything about you. This surveillance has dramatic, and in some cases even life-threatening, consequences for the ordinary men and women whose numbers appear in the leak because of their work exposing the misdeeds of their rulers or defending the rights of their fellow citizens.

Was your phone infected?

This tool may tell you if NSO’s Pegasus spyware targeted your Phone.

The researchers at Amnesty International have published a tool called the “Mobile Verification Toolkit”, that can help users identify if their phones have been infected by the Pegasus spyware. Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently.

More forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. The toolkit works on the command line and requires some basic knowledge of how to navigate the terminal. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.

Once you set off the process, the toolkit scans your Phone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.

Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.

The toolkit is relatively simple to use, though the project is open source so it won’t be long before someone will surely build a user interface for it. The project’s detailed documentation will help you.

One last word

MVT requires at least Python 3.6 to run on a system. If you are on a Mac machine, it also needs to have XCode and Homebrew installed. You also need to install dependencies if you want to look for forensic traces on an Android device. After you are done with the installation of MVT on your system, you need to feed in Amnesty’s indicators of compromise (IOCs) that are available on GitHub.

Note that there might be an instance in which the tool may find a possible compromise that might be a false positive and needs to be removed from the available IOCs. You can, however, read the organization’s forensic methodology report to check out the known indicators and look for them in your backup.