Full Report
The mobile device security firm iVerify has been offering a tool since May that makes spyware scanning accessible to anyone—and it's already turning up victims.
Analysis Summary
# Tool/Technique: Pegasus Spyware
## Overview
Pegasus is a notorious commercial spyware developed by the NSO Group. An analysis tool called "Mobile Threat Hunting" offered by the security firm iVerify has recently detected seven infections of Pegasus among 2,500 submitted device scans. The discovery suggests the spyware's targeting is broader than just activists and journalists, encompassing business leaders and government officials.
## Technical Details
- Type: Malware family
- Platform: iOS and Android
- Capabilities: Espionage, surveillance, data exfiltration (implied by "spyware")
- First Seen: Not specified in the text, but widely known in recent years.
## MITRE ATT&CK Mapping
Given that Pegasus is a mature, multi-stage mobile exploitation framework, its mapping is extensive. The description focuses on the detection of successful infection, which generally falls under Execution, Persistence, or Defense Evasion, depending on the specific stage detected.
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal (Implied capability of sophisticated spyware)
- **TA0002 - Execution**
- (Pegasus typically uses zero-click exploits for execution, but specific technique depends on the exploit chain used.)
- **TA0011 - Command and Control**
- T1179 - Ingress Tool Transfer (Implied use of C2 infrastructure)
*(Note: A definitive mapping requires analyzing the exploit chain and payloads, but the available text focuses on detection rather than runtime analysis.)*
## Functionality
### Core Capabilities
- Infiltration and continuous surveillance of mobile devices (iOS/Android).
- Detection via signature-based scanning, heuristics, and machine learning by third-party tools.
### Advanced Features
- Capabilities are characteristic of advanced mobile spyware, suggesting extensive access capabilities beyond simple monitoring, though specific current features are not detailed beyond successful infection confirmation.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes are not provided in the text)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Indicators would depend on the specific victim C2 infrastructure, which is not detailed.)
- Behavioral Indicators: Anomalies in iOS and Android device activity indicative of spyware infection (detected by iVerify).
## Associated Threat Actors
- NSO Group (Developer/Vendor)
- Various actors known to purchase/deploy commercial spyware, including governments, targeting journalists, activists, business leaders, and government officials.
## Detection Methods
- **Malware Signature-based detection:** Used by iVerify's tool.
- **Heuristics:** Used by iVerify's tool to look for anomalies.
- **Machine Learning:** Used by iVerify's tool to identify potential compromise.
- **Third-party scanning tools:** Such as iVerify's "Mobile Threat Hunting" feature.
## Mitigation Strategies
- Maintaining up-to-date device software (iOS/Android) to patch vulnerabilities exploited by such malware.
- Utilizing third-party security tools (like iVerify Basics app or specialized forensic analysis) to check for signs of infection.
- Awareness of the broad targeting profile (not just high-risk activists).
## Related Tools/Techniques
- Other forms of commercial or state-sponsored mobile spyware.
- Zero-click exploit techniques used for initial access on mobile platforms.