Pegasus spyware is once again at the center of a major controversy after a two-year hiatus. Global reports have shown that NSO Group’s software was used to spy on about 50,000 people including political leaders, businessmen, journalists, and activists from across the world. The malware exploits zero-day vulnerability in the device’s operating system to spy on individuals.

Researchers at Amnesty International have developed a toolkit that can help users identify whether their phone was infected by the spyware.

Mobile Verification Toolkit works on both iOS and Android OS. It simplifies the process of acquiring and analyzing data from Android devices, and analyses records from iOS backups and filesystem dumps to identify potential traces of compromise.

Researchers noted that there are more forensic traces accessible to investigators on Apple iOS devices than on Android devices. As a result, most recent cases of confirmed Pegasus infections have involved iPhones.

Amnesty has made the open-source toolkit available on GitHub. Since the toolkit works on the command line, it requires some knowledge on how to navigate the terminal and may not be user friendly.

To install the toolkit, users need to install a python package available in documentation on the MVT (Mobile Verification Toolkit) website. It also includes instructions for both iOS and Android on how to go about with the process. Before running MVT, users have to take a backup of their iOS device.

Amnesty pointed that the purpose of MVT is to facilitate the ‘consensual forensic analysis’ of devices of those who might be targets of sophisticated mobile spyware attacks.

“We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

How did they do it?

There’s nothing particularly complicated about how the Pegasus spyware infects the phones of victims. The initial hack involves a crafted SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device.

The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices).

Usually, rooting on an Android device is done by the user to install applications and games from non-supported app stores, or re-enable a functionality that was disabled by the manufacturer.

Similarly, a jailbreak can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “tethered jailbreak”).

Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code. In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware. Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but isn’t as effective as it relies on a rooting technique that isn’t 100% reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively.       (Agencies)