Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Mobile Forensics: Detecting Pegasus Spyware

May 19, 2022

Harry Cassin of the FCPA Blog recently wrote an article about discovering Pegasus spyware on a device. The malware was discovered during a routine scan of his devices. The Pegasus spyware is a type of malicious file that is attributed to the NSO Group, which allows for access to everything on the device, including accessing camera and microphone functions and real-time GPS locations.

Pegasus is no joke and is concerning from a device security standpoint. Pegasus operates via a “zero-click” exploit and is frequently distributed via iMessage or WhatsApp. Cassin writes “Detecting Pegasus can be difficult. According to [Gavin] de Becker [a security expert], if a device is turned off or stops transmitting information, Pegasus can self-destruct, leaving little or no tract it ever existed.”

The Pegasus spyware has been found mainly on journalists’ and activists’ devices, especially those who write about corruption. The good news is that there are methods out there to help detect if a device has been compromised by the Pegasus spyware.

The free tool, Mobile Verification Toolkit (MVT), provided by Amnesty International’s Security Lab can be used to scan a device for known indicators of Pegasus. The tool runs on the command line and Amnesty includes a warning for users, suggesting that they be familiar with using command-line tools and understand the basics of forensic analysis. To quote the warning “This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.”

If you are concerned about the spyware and are not comfortable running a command-line based tool, there is a more user-friendly option available, through the company iMazing. Information on detecting Pegasus and other spyware on iPhones and iPads can be found here.

There are some general practices that users can take in order to help prevent infection on their devices. Most often the vectors in which malware is distributed are through links and attachments. It is a good security practice NEVER to click on a link that has been sent to your device or an attachment you are not expecting.

Cassin offers some other wise words of advice in his post about keeping a device secure.

If you need assistance with device scans or malware/spyware file detection please contact Sense Enterprises at 703-359-0700i.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology