In recent years, More actors have deployed commercial spyware against a broader range of victims, but the predominant narrative remains that the malware is used in targeted attacks against an extremely small number of people. At the same time, however, it has been difficult to check whether devices are infected, leading people to navigate an ad hoc series of academic institutions and NGOs that have been at the front line of developing forensic techniques to detect mobile spy software. On Tuesday, mobile device security company iVerify is publication results of a spyware detection feature that launched in May. Of the 2,500 device scans that the company’s customers decided to submit for inspection, seven revealed infections by NSO Group’s notorious malware known as Pegasus.
The company’s “Mobile Threat Hunting” feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool periodically checks devices for potential compromises. But the company also offers a free version of the feature to anyone who downloads the iVerify Basics app for $1. These users can follow the steps to generate and submit a special diagnostic utility file to iVerify and receive the analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is designed to preserve privacy, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan reveals spyware, as it did. in the seven recent Pegasus discoveries. .
“What’s really fascinating is that the people who were targeted were not just journalists and activists, but business leaders, people who ran business enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and former National Security Agency US analyst. “It looks much more like the attack profile of an average malware or an average APT group than the narrative that has been around about mercenary spyware being abused to attack activists. He is doing it, absolutely, but it was surprising to find this representative sector of society.”
Seven out of 2,500 scans may seem like a small group, especially in the somewhat self-selecting customer base of iVerify users, whether paid or free, who want to monitor the security of their mobile devices, much less specifically check for spyware. But the fact that the tool has already found a handful of infections speaks to how widely spyware use has proliferated around the world. Having a simple tool to diagnose spyware attacks may well broaden the picture of how frequently such malware is used.
iVerify says a significant investment was needed to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and do not allow monitoring software to access the kernel in the heart of the system. Cole says the crucial idea was to use telemetry taken as close to the core as possible to fine-tune machine learning models for detection. Some spyware, such as Pegasus, also have characteristic features that make it easier to detect. In all seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is refining mobile monitoring tools to reduce false positives.
However, developing detection capability has already been invaluable. Cole says he helped iVerify identify signs of compromise on the smartphone of Gurpatwant Singh Pannun, a Sikh lawyer and political activist who was the target of an attack. alleged foiled murder attempt by an Indian government employee in New York City. The Mobile Threat Hunting feature also flagged suspicious nation-state activity on the mobile devices of two Harris-Walz campaign officials (a high-ranking member of the campaign and a member of the IT department) during the presidential race.
“The era of assuming that iPhones and Android phones are secure out of the box is over,” Cole says. “The kind of capabilities to tell if your phone has spyware were not widespread. There were technical barriers and I was leaving a lot of people behind. Now you have the possibility to know if your phone is infected with commercial spyware. And the rate is much higher than the prevailing narrative.”