5

What are the indicators of compromise (IoCs) that indicate methods used by the Pegasus spyware on mobile phones?

How is penetration still possible when the latest and up-to-date OS of the phone is used?

schroeder
  • 125,553
  • 55
  • 289
  • 326
HadidAli
  • 570
  • 3
  • 10
  • *How is penetration still possible?* Because [zero days](https://security.stackexchange.com/questions/33314/what-is-zero-day). – nobody Jul 20 '21 at 18:38
  • 2
    Pegasus itself doesn't use penetration methods. It is delivered by handlers that exploit known and unknown vulnerabilities of the target device. – defalt Jul 20 '21 at 18:44

2 Answers2

6

Short answer, how to practically detect Pegasus on your phone: the Mobile Verification Toolkit can (but not always) detect indicators of compromise by Pegasus or other malware. The tool works for both Android and iOS, but the two platforms have different forensic recordkeeping, so results can vary. The authors indicate that iOS keeps more forensic traces than Android, so results may be more accurate on an iPhone:

In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former


Longer answer, how Pegasus can be detected at all: Amensty International (the company that developed the Mobile Verification Toolkit) released a Forensic Methodology Report that details the different methods used to identify the indicators of compromise by Pegasus Spyware. The main takeaways from the report:

  • Discovering Pegasus network injection attacks, i.e. forceful redirects of benign pages to malicious ones. In one case, a victim's request to http://yahoo.fr/ was redirected to a malicious domain.

  • Pegasus’ BridgeHead and other malicious processes. Pegasus has been known to use a process called bh - seeing this process and other known Pegasus processes (e.g. roleaboutd) can indicate Pegasus compromise.

  • Pegasus processes following potential Apple Photos exploitation. Amnesty suspects that the iOS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus. The apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device.

  • An iMessage zero-click 0day used widely in 2019. Here Amnesty believes actors used known iMessage exploits to deliver the Pegasus spyware.

  • Apple Music leveraged to deliver Pegasus in 2020. Again, another exploit that may have been used to deliver Pegasus. Amnesty observed an HTTP request from the Apple Music app that points to a domain identified as belonging to NSO Group’s Pegasus network infrastructure.

  • Megalodon: iMessage zero-click 0-days return in 2021. A zero-click exploit that Amnesty believes was live at the time of publishing, and exploited the com.apple.coretelephony process (among others).

  • Incomplete attempts to hide evidence of compromise. Pegasus deletes the names of malicious processes from the ZPROCESS table in DataUsage database but not the corresponding entries from the ZLIVEUSAGE table - Amnesty has tied this inconsistency to Pegasus infections.

  • Pegasus processes disguised as iOS system services.

Across the numerous forensic analyses conducted by Amnesty International on devices around the world, we found a consistent set of malicious process names executed on compromised phones. While some processes, for example bh, seem to be unique to a particular attack vector, most Pegasus process names seem to be simply disguised to appear as legitimate iOS system processes, perhaps to fool forensic investigators inspecting logs.

I encourage reading the entire Forensic Methodology for more detail. As you can see, detecting Pegasus (or other known malware variants) isn't a perfect science, and evidence has to be taken in context to determine the presence of Pegasus spyware.

Buffalo5ix
  • 2,646
  • 13
  • 18
0

How is penetration still possible when latest and up-to-date OS of the phone is used?

This will be continuously possible because the injector of Pegasus is also continuously updated to take into account the new vulnerabilities found by the NSO Group. Some of them are many years old and simply neither disclosed, nor fixed. And new ones appear with every new version of the OS.

One day far in the future, a day where Apple and Google would decide to work really hard and with waranty on the security of their OS, it might become really hard for cyber-criminels and intelligence agencies to inject any spyware in iOS or Android. But they have a lot of time ahead to achieve such a goal.

dan
  • 3,043
  • 14
  • 35