Source: Coredesign via Shutterstock
Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.
Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks.
Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.
"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.
Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems
"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."
Pegasus Spyware Reach Underestimated?
The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.
Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.
Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.
Related:Name That Edge Toon: Shackled!
Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.
"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.
Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.
Hunt Your Own Device Threats
Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.
Related:Microsoft Boosts Device Security With Windows Resiliency Initiative
Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.