In recent years, Commercial spyware has been deployed by more actors against a wide range of victimsBut the prevailing narrative still remains that malware is used in targeted attacks against extremely small number Of the people. At the same time, however, examining devices for infection has been difficult, forcing individuals to navigate an ad-hoc series of academic institutions and NGOs that are on the front lines of developing forensic techniques for detecting mobile spyware. Have been in. Mobile device security firm iVerify on Tuesday publish findings From a spyware detection feature launched in May. Of the 2,500 device scans that the company's customers chose to submit for inspection, seven detected infection by the notorious NSO Group malware called Pegasus.
The company's Mobile Threat Hunting feature uses a combination of malware signature-based detection, inference, and machine learning to look for anomalies in iOS and Android device activity or clear signs of spyware infection. For paying customers of iVerify, the tool regularly checks devices for potential compromise. But the company also offers a free version of this feature for anyone who downloads the iVerify Basics app for $1. These users can walk through the steps to create and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify's infrastructure is built for privacy-preserving, but to run the mobile threat hunting feature, users must enter an email address so the company has a way to contact them if spyware shows up in a scan — as That happened in seven recent Pegasus searches.
“What's really interesting is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, government officials,” says Rocky Cole, chief operating officer of iVerify and a former U.S. National Security Agency official. There were people holding positions.” Analyst. “It looks more like your average piece of malware or the targeting profile of your average APT group, rather than telling the narrative that mercenary spyware is being misused to target activists. It is doing exactly that, but different sections of the society are surprised to see it.”
Seven scans out of 2,500 may seem like a small group, especially among iVerify's somewhat self-selected customer base of users, whether paid or free, who want to monitor the security of their mobile devices, especially It is a far cry from actually checking for spyware. But the fact that the tool has already detected a handful of infections shows how widespread spyware use has grown around the world. Having an easier tool to diagnose spyware compromises could expand the picture of how often such malware is being used.
“NSO Group sells its products exclusively to U.S. and Israel-allied intelligence and law enforcement agencies,” NSO Group spokesperson Gil Lehner told WIRED in a statement. “Our customers use these technologies every day.”
iVerify says it took significant investment to develop the detection tool because mobile operating systems like Android and especially iOS are more locked down than traditional desktop operating systems and do not allow monitoring software kernel access to the heart of the system. Are. Cole says the key was to use telemetry taken as close to the kernel as possible to tune machine learning models to detect insights. Some spyware, such as Pegasus, also have specific characteristics that make them easier to flag. Of the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But Cole says the challenge lies in refining mobile monitoring tools to reduce false positives.
However, developing the ability to detect is already invaluable. Cole says this helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a lawyer and Sikh political activist who was the target of an attack. Alleged, failed murder attempt By an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspicious nation state activity on the mobile devices of two Harris-Walz campaign officials – a senior member of the campaign and an IT department member – during the presidential race.
“The era of assuming that iPhones and Android phones are secure out of the box is over,” says Cole. “The capabilities to know if your phone has spyware were not comprehensive. There were technical barriers and it was leaving a lot of people behind. You now have the ability to know if your phone is infected with commercial spyware or not. “And this rate is much higher than the popular narrative.”
Updated at 12:12 pm EST on December 4, 2024 to include a statement from NSO Group.