What journalists should know about detecting and mitigating Pegasus spyware

FPF Logo for circles

Promoting press freedom in the 21st century

Photo by Thought Catalog. CC-BY-2.0

At Freedom of the Press Foundation, we assist journalists on their digital security habits to help them work more safely and sustainably. So we take it a little personally when private spyware companies are actively making journalists less safe by selling their services to repressive governments. We are now learning more about the deployment of Pegasus, a spyware tool developed by an Israeli company called NSO Group, and sold to governments around the world. Recently we learned of more examples of this dangerous capability through the Pegasus Project, an international investigative collaboration revealing widespread government use of paid malware services to spy on business leaders, human rights defenders, journalists, and others. We want to highlight some resources journalists should be aware of to help detect and mitigate against these threats.

Background on Pegasus

Pegasus is built to exploit security vulnerabilities in mobile phones, giving government clients remote access to targeted users’ call logs, messages, contact lists, location, and smartphone cameras and microphones. We are learning that even fully patched mobile devices may be vulnerable to so-called “zero-click” attacks, allowing Pegasus to take over devices simply by receiving a specially-crafted message from the attacker. Through disclosures in prior security analyses from Citizen Lab and others, for years we’ve known these tools were being used to target dissidents and journalists, despite NSO Group’s denials.

NSO Group says +1 phone numbers commonly found in the U.S. and Canada cannot be targeted with Pegasus. When asked if Americans using foreign phones could be targeted, NSO spokeswoman Ariella Ben Abraham says, “It is technologically impossible,” without providing evidence. To be clear, while NSO may or may not have chosen to build this capability, we have no reason to believe Pegasus is technically incapable of targeting U.S. numbers or non-U.S. numbers within the United States.

According to the Washington Post, someone leaked a list of 50,000 potential targets of interest to Forbidden Stories, a journalism nonprofit based in France. In concert with Amnesty International, Forbidden Stories shared this list with more than 80 journalists across 17 media organizations working under the moniker, the Pegasus Project. Amnesty also conducted an analysis of 67 of the devices on this list, finding 37 showed signs of attempted or successful infection. In their reporting, the Pegasus Project collaborators identified more than 1000 people tied to targeted numbers spanning over 50 countries, including 189 journalists.

To be clear, the fact that this spyware is being used against even one journalist suggests NSO Group fails to provide adequate controls on the use of its spyware.

As we think about keeping the journalism community safe, we also think it is important to place the use of these dangerous tools in their proper context. We must not fall victim to security fatalism. There is a lot we can do to address these concerns and the truth is, the vast majority of journalists have more mundane malware threats to contend with beyond Pegasus. Let’s focus on the low-hanging fruit.

Downloading and installing security patches to all work devices without delay is still best practice, and will deter less-sophisticated attacks. Pegasus is just one particularly egregious example of a broad constellation of malware tools, most of which are remedied through regular security patches. Keep a cool head and download those updates; we are in it for the long haul.

With that said, we do want to highlight a couple of lists of publicly known cases, as well as detection tools that can help journalists learn more about whether Pegasus resides on any of your devices.

Tracking publicly-known cases

Organized Crime and Corruption Reporting Project’s case list

The Organized Crime and Corruption Reporting Project (OCCRP) put together a page identifying a subset of names affiliated with phone numbers on the target list leaked to Forbidden Stories. It provides the names and professions of potential targets. It also suggests the likely client countries associated with each target. Again, these are not necessarily confirmed victims of Pegasus — only names that appeared on the list.

Take a look at the OCCRP’s Pegasus case list.

Runa Sandvik’s case list

Security researcher Runa Sandvik has been working with the community to put together a list of known targets and victims of Pegasus spyware, as well as some details about each of the individual cases. Her spreadsheet includes names, rough dates, information about the kind of phone, whether the attempt succeeded, the client country, and related links for investigators.

Take a look at Runa Sandvik’s case list.

Detection tools

Mobile Verification Toolkit

Amnesty International’s Security Lab released a report on its forensic analysis, examining traces left on mobile devices following infection with Pegasus. While the bulk of the analysis focuses on iPhones, it’s important to note that Amnesty’s analysis highlights that Android devices are vulnerable as well — there are just fewer forensic traces to work with, so it’s harder to tell if you’ve been infected.

Amnesty released a piece of software called the Mobile Verification Toolkit, to help others in the security community examine iOS and Android devices. While this is a boon to the community, for the moment, this isn’t the easiest to use for most and would likely require assistance from a friend with experience using the command line.

iVerify

iVerify is a mobile app designed by the team at Trail of Bits, a security engineering firm that focuses on securing organizational software and infrastructure. It walks through security threats within your device, and helps to detect and mitigate against those threats. Where it cannot automate this process on its own, it provides helpful guidance on how you can do so yourself.

For now, the individual version of iVerify is only supported on iOS. Find iVerify on the App Store.

Android users with the necessary background or support should consider investigating traces using the Mobile Verification Toolkit.

Need help? Reach out

We hope these resources help you keep yourself and colleagues safer. As companies like Apple and Google release security updates, we also want to remind journalists to update their devices as quickly as possible.

If you are a journalist with strong reasons to believe, or evidence that you have been infected with Pegasus, consider contacting our digital security team for assistance.

— Freedom of the Press Foundation Digital Security Team

Image credit: Thought Catalog. CC BY 2.0

Donate to protect press freedom.

Your support is more important than ever.