Full Report
An investigation into the numbers has some caveats, but those behind it say even a drastic reduction from what they found would be big. The post Study shows potentially higher prevalence of spyware infections than previously thought appeared first on CyberScoop.
Analysis Summary
# Research: Study Shows Potentially Higher Prevalence of Spyware Infections Than Previously Thought
## Metadata
- Authors: Tim Starks (as the reporter of the findings)
- Institution: iVerify (the firm conducting the investigation)
- Publication: CyberScoop (Article reporting on iVerify's findings)
- Date: December 4, 2024
## Abstract
An investigation conducted by the mobile security firm iVerify suggests that high-powered commercial spyware infections, specifically mentioning Pegasus, may be significantly more prevalent on mobile devices than current narratives suggest. By scanning 2,500 volunteer devices using a low-cost commercial scanner, iVerify detected a rate of 2.5 infections per 1,000 scans, a rate substantially higher than figures generally reported in academic or investigative literature focused on state-sponsored targeting.
## Research Objective
To assess the real-world prevalence of commercial spyware infections on voluntarily scanned mobile devices and compare the observed infection rate against the prevailing belief that such spyware is a niche threat primarily targeting journalists, activists, and law enforcement targets.
## Methodology
### Approach
iVerify conducted a retrospective investigation by scanning a set of volunteer mobile devices using their proprietary detection technology. The analysis focused on identifying signatures associated with known spyware, such as Pegasus.
### Dataset/Environment
The study involved 2,500 users who volunteered to participate by using a $0.99 version of iVerify’s mobile security application for scanning. The detected infections spanned the period between 2021 and May 2024.
### Tools & Technologies
- iVerify’s mobile device security technology (a $0.99 app version was used for the scan).
- Threat signatures sourced from research groups studying spyware, including those developed by Citizen Lab (University of Toronto).
## Key Findings
### Primary Results
1. iVerify detected seven confirmed spyware infections (implied to be Pegasus) within the 2,500 scanned devices.
2. This translated to an infection rate of 2.5 infected devices per 1,000 scans, which iVerify claims is "significantly higher than any previously published reports."
3. All seven detected infections were found on devices located outside the United States, spanning Europe, the Middle East, and the Global South.
4. The infected users, though fitting the typical profile of being high-value targets (journalists and activists), also included business leaders not overtly involved in politics.
### Supporting Evidence
- The detection rate of $2.5/1,000$ scans is the primary quantitative metric supporting the finding of higher prevalence.
- Infections were confirmed by identifying identifiable traces, such as file names unique to Pegasus.
### Novel Contributions
- Challenging the established narrative that commercial spyware like Pegasus is strictly a niche tool reserved for high-stakes geopolitical surveillance.
- Providing an empirical infection rate derived from a larger, consumer-proximate (albeit self-selecting) user base compared to typical investigative samples.
## Technical Details
The scans utilized threat signatures derived from known spyware research (e.g., Citizen Lab findings). The analysis confirmed infections by looking for identifiable traces, such as file names specific to Pegasus. The report indicates that almost all detected infections did not appear to be currently active at the time of the scan. The location data showed a focus on international targets, aligning with NSO Group's public statements regarding not targeting U.S. phone numbers.
## Practical Implications
### For Security Practitioners
- Practitioners should acknowledge that the risk of sophisticated commercial spyware is potentially higher across their entire user base or organizational targets than previously estimated by models focusing only on well-publicized state-sponsored attacks.
### For Defenders
- Security infrastructure must evolve beyond basic malware detection to incorporate subtle, high-fidelity signatures associated with zero-click or advanced persistent threat (APT) spyware, as these tools may be targeting a broader spectrum of economically significant individuals.
- If the population self-selecting into this study is already somewhat targeted, the actual baseline prevalence in the general population could be even higher.
### For Researchers
- Further research is needed using broader, truly randomized datasets to confirm if this elevated rate is sustained outside of populations potentially aware of or concerned about advanced surveillance.
- Deeper analysis is required into the vectors used in non-state-actor-led deployments of these tools.
## Limitations
The primary limitation explicitly acknowledged is the **selection bias** of the dataset. Users who chose to volunteer, download, and pay for a spyware-checking app are inherently more security-conscious or already suspect they are targets, meaning the results likely represent an upper bound for non-targeted populations.
## Comparison to Prior Work
Prior work, often involving intensive, specialized investigations (like The Pegasus Project), has focused on identifying specific, high-profile victims. This iVerify study indicates a higher *baseline* rate of infection among non-elite yet high-value targets (business leaders alongside traditional activists), suggesting the market for this surveillance technology is wider than traditional, politically focused investigations portray.
## Real-world Applications
- Market assessment for mobile threat detection vendors.
- Re-evaluation of mobile threat modeling for executive protection programs worldwide.
## Future Work
- Conducting scans on a statistically random, non-volunteering population sample.
- Investigating the specific delivery mechanisms used for the infections observed in the Global South and business sectors.
## References
- NSO Group’s statements on targeting limitations (as reported by WP).
- Research from Citizen Lab (University of Toronto) regarding spyware signatures.