While performing a routine malware scan on my devices, I recently got an unexpected hit: Positive for Pegasus. It appeared that my phone had been compromised by the military-grade spyware wreaking havoc across the globe.
With poise and grace, I contemplated the next steps (i.e., I freaked out). I contacted the company whose software had detected it. They sent the following note, along with the contact information for Amnesty International’s Security Lab: “Please inform [Amnesty] that you had a positive detection of Pegasus . . . and include the report in your email.”
As instructed, I emailed Amnesty, who investigated the report further. One sleepless night later, I received an email from Amnesty informing me that it was a false positive. The kind folks at Amnesty’s Security Lab explained how they had determined it was a false positive, and the relief was overwhelming.
Here’s what I learned during the ordeal.
What is Pegasus?
Pegasus is spyware developed by Israel-based NSO Group that can access everything on your device. It can also covertly activate functions like the camera and microphone, as well as track your GPS location in real-time.
It’s what’s known as a “zero-click” exploit, meaning the targeted individual doesn’t have to click on a link or perform any interaction to have their device compromised. Security expert Gavin de Becker has said newer versions of Pegasus only require a phone number to take complete control of a device.
Typically, vulnerabilities are exploited via iMessage or WhatsApp.
Detecting Pegasus can be difficult. According to de Becker, if a device is turned off or stops transmitting information, Pegasus can self-destruct, leaving little or no trace it ever existed.
Journalists and activists, particularly those covering corruption, are favorite targets.
The chances of your device being infected with Pegasus are small. Still, Amnesty International said its Pegasus Project has found around 50,000 phone numbers of potential surveillance targets, including at least 180 journalists and other targets like human rights defenders, academics, lawyers, and politicians.
How to check for Pegasus
Amnesty International’s Security Lab developed a free tool called Mobile Verification Toolkit (MVT), which scans your device’s logs for known indicators of Pegasus. MVT is a command-line tool, so it’s only recommended if you feel comfortable using the terminal.
Amnesty includes this warning on MVT:
MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.
A more user-friendly option, built on Amnesty’s MVT, is available from Geneva-based software company iMazing. The company offers its malware detection functionality for free. A step-by-step guide for detecting Pegasus on iPhones or iPads using iMazing can be found here.
How to protect from Pegasus
Safeguarding devices from Pegasus is difficult, but there are some things users can do to reduce exposure.
Keep your phone updated. No one has more skin in the game than Apple and Google, so don’t ignore OS updates that don’t appear to add any features. The updates are likely full of invisible but important security updates to fix vulnerabilities.
Reboot your phone daily. Research from Amnesty International and Citizen Lab has shown that Pegasus often doesn’t have persistence, meaning regular reboots help sanitize the device, and requiring attackers to re-infect after each reboot. Occasional factory resets aren’t a bad idea either.
Never click links received in messages. Yes, Pegasus is a “zero-click” exploit, but not everyone using Pegasus can afford this premium feature, and some attacks still rely on user interaction.
Scan for malware regularly. Just because you didn’t find any today doesn’t mean you won’t find any tomorrow. With new advancements in spyware, if you don’t catch it in the act, there may be no way to tell your device was ever compromised.
What to do if you have Pegasus
If your organization has an IT department, contact them immediately.
If you’ve discovered a potential Pegasus breach using third-party software like iMazing, let the software supplier know what you’ve found. Be sure to provide logs and results of the malware scan. They will put you in touch with people who can help.
You can also contact Amnesty International’s Security Lab. They may be able to provide additional information and resources, like they did when I reached out.
* * *
I want to express my gratitude to Amnesty International for helping me — and countless others — as they continue their work defending our human rights, in this case, our right to privacy and confidentiality. They’re pros.