Is Your Phone Infected With Pegasus? (fossbytes.com) 75
Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT.
First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.
Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.
After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.
First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.
Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.
After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.
If it isn't already (Score:5, Funny)
It will be after following these instructions.
Re:If it isn't already (Score:5, Insightful)
It will be after following these instructions.
It may be simpler to just get a new phone ... :-)
Re:If it isn't already (Score:5, Insightful)
Re: (Score:2)
Nice FP branch. Sadly insightful and funny, too.
Amateurs can't win against experts. Even if the original source was reliable (in spite of the challenge from the FP), the experts have almost surely had time to patch Pegasus to negate the instructions.
I think the best general solution approach is to stop putting so many eggs in so few baskets. But it's a fading story, time is limited, and interest is even more limited, so.
Re: (Score:2)
Re: (Score:2)
If Android is the OS, then it doesn't seem clear that you are safe. Though your phone may lack some (or most) of the capabilities that Pegasus wants to exploit.
Re: (Score:2)
Re: (Score:2)
Just the ACK, but under weird coincidences, I just finished a book published by Pegasus. No relation, but the name sure stuck me in the eye...
"Nothing to fear". (Score:5, Insightful)
It still galls me that CEO of NSO Group used the old "If you've done nothing wrong you've got nothing to fear", which if you follow the implications regarding to who it was actually sold to means "criticizing your government is wrong".
No wonder the internet turned from the anarchic dream of freedom in the ninteys into the authoritarian sewer its become today.
Re: (Score:3)
We were all so idealistic, dammit. And look at things now.
Re: (Score:3)
We weren't aware of the Elites and their interests back then.
Re: "Nothing to fear". (Score:2, Insightful)
Re:"Nothing to fear". (Score:5, Insightful)
It still galls me that CEO of NSO Group used the old "If you've done nothing wrong you've got nothing to fear", which if you follow the implications regarding to who it was actually sold to means "criticizing your government is wrong".
What's really galling is: who are they to claim the right to decide who's right and wrong? Are they a court of law?
Re: (Score:2)
They have a bigger stick than you.
Re: (Score:1)
Re:"Nothing to fear". (Score:5, Insightful)
It kinda amuses me, to be honest, especially considering where that company is located. He may want to ask his father or grandfather who might remember a time when being a honest, upstanding citizen was not enough to not be persecuted for crimes that are none.
At least if he's from central Europe.
Re: (Score:2)
He knows, doesn't care, and this is why: (Score:1)
Nothing is about anything but power and Zionism always considered non-Zionists expendable. There are no genuine ideals, just constructs to justify power. Religions, all of them, exist as power tools and the objective of Zionism is an ethno-state like any other ethno-state.
Re:"Nothing to fear". (Score:4, Interesting)
Source: https://www.forbes.com/sites/t... [forbes.com]
Re: (Score:3)
No we just got old, where what was once new and exciting, and now different and scary.
Oh how we in the 1990's in our teens and 20s laughed at those 40-50 something mainframe guys. With their steadfast dislike of TCP/IP Protocol, and preferred the simplicity and reliability of just a set of Serial Cables going across the building. Your Login and Password was good enough to stop any unauthorized access, and if you wanted remote access, just plug one of those serial cables to a Modem and give the person that
Re: (Score:2)
--
.nosig
Re: (Score:2)
It still galls me that CEO of NSO Group used the old "If you've done nothing wrong you've got nothing to fear",
As long as he puts his money where his mouth is - so where, exactly, has he posted all his private conversations, pictures, e-mails and other data online for everyone to see?
After all, if he has done nothing wrong, he's got nothing to fear, right?
Re: (Score:2)
Naa, that would be doing what he preaches. Cannot have that. Assholes like this one want limitations like always only for others.
Can't have an infected phone (Score:1)
if you don't have a phone.
Re: (Score:1)
Don't worry, it's one of the payloads in the nanobot delivery system known as the pfizer corona vaccine, you won't even need a phone. Gives a new meaning to the term "buttdialing".
Re: (Score:2)
I certainly hope you are joking because if we had that level of technology then we wouldn't be bothered to do something so pointless.
Re: (Score:2)
I suppose if you could manage to go completely off all the grids, it could work, but that's nearly impossible in our day and age. So hiding in plain sight methods could be more effective.
Is Your Phone Infected With Pegasus? (Score:2)
"It's a bit technical," he says. (Score:3)
Re: (Score:2)
Don't forget that obtaining all the dependancies and having access to machine to run this stuff on are not at all a given for many of the potential victims.
Traveling reporters, dissidents, etc might not have any reliable internet access besides their mobile device. Downloading 100s of megs of dependancies, python platform stuff, and mobile interface libraries might be a non-starter or even serve to red flag them or help locate / target them more easily. They might not have a desktop or laptop that is itself
Re: (Score:1)
How long until an Israeli soldier goes on trial for war crimes against Palestine and says "I was just following orders"?
If it is, then I must be a secret agent (Score:2, Redundant)
Seriously, if whatever nefarious sources it is spreading Pegasus, want to infect my phone, have at it.
You'll get some amazing content of me and the wife chatting about the cat. Later, possibly some video of me watering the plants.
The absolute gold mine, will be me on a Zoom meeting discussing the latest sprint of work for the e-commerce infrastructure my team looks after. Exciting stuff, like CI/CD, GQL and where we should place the "Add to Cart" button.
There may even be footage and recording of a walk to t
Re: (Score:2)
Is there an app for that? (Score:5, Insightful)
Or better, why doesn't do Apple do this for me?
Re: (Score:3)
Re:Is there an app for that? (Score:4, Informative)
What a load of crap (Score:2)
This procedure was written to work for niche devices only. And by that I mean devices I don't own.
Re: (Score:3)
If NSO is to be believed... (Score:2)
Re: (Score:2)
Think hard about what you just wrote there. Of course you can decrypt an iPhone backup without content from the Secure Enclave. The backups would be useless for restoring to a different device otherwise.
Logically you have to either be able to save the keys or encrypt the back with an alternative known key which you can retain. Otherwise if you say drop your device into the sea because the boat rolls more than expected suddenly while you are photoing - it would be so long to all your data.
Re: (Score:2)
Can an encrypted backup of an iPhone be decrypted without the enclaved keys and without logging in to Apple.com?
Just for iphones, not android (Score:3)
Re:Just for iphones, not android (Score:4, Informative)
The reason given in the article is that pegasus on Android can in the worst case scan SMS's or APKs, so its reasonably harmless on Android. So it seems that this is a novel case where Apple security is more exposed than Android (must be close to a first...).
Re: (Score:3)
pegasus on Android can in the worst case scan SMS's or APKs
No, the MVT toolkit for Android can only scan SMS messages and APKs (manual [readthedocs.io]: "The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis..."), so it's less effective at detecting Pegasus. This does not mean that Pegasus itself is "reasonably harmless on Android". It's just better at hiding.
Though this does imply that the iOS encrypted backups leak more information about the state of the device... win some, lose some. In this case the extra data is he
Re: (Score:3, Informative)
clickbait (Score:2)
Not possible (Score:2)
No idea if Pegasus can be installed to a wifi-only tablet, but you asked about my phone.
"Mobile device" (Score:2)
Re: (Score:2)
Re: (Score:2)
> No mention of Android at all.
They prefer not to acknowledge the Deplorables' phones. People who can only afford $49 phones from Walmart aren't members of their distributed country club.
Do people actually care? (Score:2)
Personally I assume my phone is already hacked so anything important should be limited to mobile banking where I have some legal protections against fraud.
Do I have spyware on my phone? I don't know, let me ask my Facebook contacts.
No (Score:5, Interesting)
You know how I know my phone doesn't have Pegasus? Because it has no "apps". It's a phone of the smartest kind. It does one thing and it does it well. It makes and receives phone calls.
Yes, I have a calculator and calendar on it, but they're pre-installed and non-upgradable.
This scenario is just like Battlestar Galactica. Not having the newest and shiniest is what protects me.
Re: (Score:2)
Step by step instructions (Score:2)
For those who tl;dr tfa, lmsyst:
Step 1: Open your wallet
Step 2: Examine all of your credentials, licenses, etc
If none of those credentials/licenses identify you as the holder of a government security clearance, your phone is not infected with Pegasus.
Otherwise, you can go through the steps outlined in TFA.
Re: (Score:2)
Unless, of course, you're a journalist, an opposition politician, a relative of someone of interest, ...
Re: (Score:2)
Unless, of course, you're a journalist, an opposition politician, a relative of someone of interest, ...
Or an ex-girlfriend/boyfriend of someone who is stalking you.
How did it get on the device? (Score:2)
Re: (Score:1)
Cumbersome (Score:2)
I'm sure I'd notice (Score:2)
...a flying horse in my phone.
The new "desktop" (Score:1)
Android may need a malware scanning utility similar to Windows Defender.
Re (Score:1)