Cheap Phone Scanner Shows Lots Of People Are Still Being Targeted By NSO Group Spyware

NSO Group may be on the ropes but its flagship product continues to satisfy its customers — customers that include some of the worst human rights abusers in the world.

Sure, recent developments have managed to land the company on US blacklists and forced the Israeli government to limit who the home team can sell to, but there’s nothing out there preventing existing customers from continuing using the tech they’ve paid for.

What’s a little more surprising is that it might not take a dedicated team of security researchers to uncover a Pegasus infection. These have been notoriously difficult to identify, especially when the malware is deployed in its preferred zero-click form, which means infections don’t require risky clicks by potential targets. And those targets are many and varied: they range from legitimate targets, like terrorists and other criminals, to others that have put NSO Group in the international headlines crosshairs: journalists, opposition leaders, dissidents, lawyers, diplomats, and the occasional ex-wife of UAE royalty.

This recent report from Lily Newman for Wired says it’s possible to detect Pegasus infections with a minimal cash outlay and a complete lack of security research skills.

On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company’s customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1.

Now, if you’re like me, you might find that last sentence confusing. But it’s a free service that’s available if phone users pay $1 to download the app. The scan is apparently a separate function if you’re not paying for the premium version — one that’s limited to a certain number of scans per month. It also requires users to send a diagnostic file to iVerify and provide an email address for the company to use to send back the diagnosis. It’s not an active scan. It’s far more passive. And it has a few limitations, most of which are due to limitations built into phones to prevent malware infections or other abuses of system processes.

iVerify’s research VP Matthias Frielingsdorf says the same thing that makes this scan capable of detecting infections is somewhat related to the the actions that lead to Pegasus malware compromising phones.

He says that it took significant investment to develop the detection tool because mobile operating systems like Android, and particularly iOS, are more locked down than traditional desktop operating systems and don’t allow monitoring software to have kernel access at the heart of the system. Cole says that the crucial insight was to use telemetry taken from as close to the kernel as possible to tune machine learning models for detection. Some spyware, like Pegasus, also has characteristic traits that make it easier to flag. In the seven detections, Mobile Threat Hunting caught Pegasus using diagnostic data, shutdown logs, and crash logs. But the challenge, Cole says, is in refining mobile monitoring tools to reduce false positives.

So, there’s a chance some of these detected infections may not be infections at all. And finding 7 infections in 2,500 scans may not seem like much, but it’s probably a higher ratio than most people would expect, especially since millions of phone users are pretty sure they’re not being targeted by industrial-grade spyware distributed by a single Israeli tech firm.

On the other hand, there’s some bias in these numbers. The 2,500 scans come from people who are apparently concerned enough about possible infections to shell out a buck to soothe their minds/confirm their fears. What’s kind of unusual is that some of the detected infections were found in phones possessed by business execs, a demographic that hasn’t tended to crop up much when discussing abusive malware deployments by NSO Group’s customers.

But others are more of the same. iVerify said it detected possible attacks/infections targeting phones used by two Harris-Walz campaign officials. Almost certainly, the US government is not behind these infections. But it’s still a problem. NSO Group has sworn up and down it has configured its malware to make it all but impossible to target US persons’ phones. If these infections are confirmed, it will just be more data confirming NSO can’t be trusted to build “secure” (as it were) malware, much less be trusted to be honest about what limits it has or hasn’t placed on its flagship phone infectant.