Pegasus Mobile Spyware used to target journalists, activists, and more

Share this blog

A massive data leak revealed an iOS spyware malware called Pegasus had been used by authoritative governments to target over 50,0000 journalists, activists, and legal professionals from over 50 countries. Pegasus, which was produced and distributed by the Israeli surveillance company NSO Group, is malware that infects iPhone devices enabling attackers to steal critical and private data, including phone calls, photos, and messages.

Originally produced for use by governments to target criminals and terrorists, this aggressive mobile malware has been abused by organizations around the world to target far more. The investigation into the leaked list by 17 media organizations working in unison appears to show how clients of NSO identified and targeted people of interest, many within human rights and activists organizations, as well as senior government employees and members of royal families.

The origins of the data leak are unknown, but Forbidden Stories and Amnesty International worked together at the beginning to conduct forensic research before inviting the larger group of international media to participate in the research.

Inside the leaked report are over 50,000 phone numbers representing individuals from over 50 countries, and while the presence of the numbers does not mean all those targeted were infected, the consensus of the research was it revealed an ongoing surveillance campaign. But forensic research from the consortium revealed that many of the numbers that appeared did in fact have components of the Pegasus spyware on their mobile devices.

Through the organization’s lawyers, NSO Group responded that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets” and their mobile spyware software is only intended to target criminals and terrorists. But this is not the only time Pegasus has been in the news.

In 2016, Zimperium researchers conducted research into Pegasus as it was targeting iOS devices. At the time, the chained attack took advantage of three unpatched zero-day vulnerabilities within the iOS platform to attack and enable the spyware on the targeted device. While Apple did patch the zero-days in iOS 9.3.5, NSO Group has continued the development of Pegasus, implementing new ways to exploit iOS devices.

According to the research by Amnesty International and Forbidden Stories, and verified independently by the Zimperium zLabs threat research team, the latest version of Pegasus is able to remotely compromise all recent versions of the iPhone and iOS.

The details around the leaked data and research from the large consortium are still being released, but there is no mistaking the fact that mobile endpoints are increasingly a high-priority target in surveillance and data theft. This is just one example of the tools at the disposal of independent and state-sponsored threat actors when they are targeting individuals. The mobile attack surface is continuing to grow, and with it, the number of threats, vulnerabilities, exploits, and active hacking campaigns.

Pegasus vs. Zimperium

Zimperium zIPS customers are protected against Pegasus with our zero-day, on-device z9 Mobile Threat Defense machine learning engine.

The Zimperium zLabs team has conducted an in-depth technical analysis of the leaked data, showing the zIPS mobile threat defense solution detects and protects mobile customers from the exploitation of the device without any updates. Part of the leaked data revealed there were over 1,400 domains as indicators of compromise, and the Zimperium zIPS anti-phishing detection solution will prevent access of these domains if visited or used by a compromised application.

This attack would be reported as a critical “System Tampering” event within the zIPS and zConsole. To ensure your iOS users are protected from Pegasus spyware, we recommend a quick risk assessment. Inside zConsole, admins can review which apps are side-loaded onto the device that could be increasing the attack surface and leaving data and users at risk.

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.

Richard Melick
Mobile Threat Intelligence. View the author's experience and accomplishments on LinkedIn.