How widespread is mercenary spyware? More than you think
A targeted hunt on 2,500 mobile devices for indicators of compromise associated with mercenary spyware has revealed that its use is not as rare as one would hope.
The results of the hunt
Earlier this year, iVerify added a “Mobile Threat Hunting” feature to its mobile device security solution for Android-based phones and iPhones and urged users to try it out.
2,500 of them did, and six (possibly seven) discovered that they’ve been infected with NSO Group’s Pegasus malware.
“Our analysis revealed a complex timeline of compromise: one exploit from late 2023 on iOS 16.6, another potential Pegasus infection in November 2022 on iOS 15, and five older infections dating back to 2021 and 2022 across iOS 14 and 15. Each of these represented a device that could have been silently monitored, its data compromised without the owner’s knowledge,” the company shared.
Granted, the sample is biased: the devices belonged to iVerify users who are both more likely to be targeted with spyware and more likely to implement rigorous security measures, Matthias Frielingsdorf, VP of Research at iVerify, told Help Net Security.
“I would not expect the prevalence of mercenary spyware to be this high in the general population; even so, if you give this number a huge haircut, say 90%, it’s still a staggering amount of malware infections, especially considering the common narrative that mobile malware is extremely rare.”
Frielingsdorf explained that iVerify’s detections are based on a combination of signatures associated with malware, heuristics that spot when the device is engaging in behavior that strongly suggests the presence of malware, and machine learning that tells them when a device is deviating from its typical state.
“We have indicators associated with all the major vendors and strains of commercial spyware, as well as with APT groups,” he shared. Sometimes, though, the indicators don’t point to known malware/spyware, but are still enough to say that the device is very likely compromised.
The owners of the compromised devices revealed by this hunt – government officials, journalists, human rights activists, and corporate executives – were, of course, notified of the infection.
Prevent and detect mercenary spyware infections
Smartphone users are unlikely to suspect they have been saddled with spyware, as the malware is usually delivered via zero-click exploits.
Possible tell-tale signs could be a slowing down of the device, a rapid loss of battery power or overheating, but these things can happen on phones from time to time even without the presence of malware, Frielingsdorf noted. “That is the value proposition of spyware vendors: in almost all cases, a user won’t notice that their devices have been infected.”
Users that are at higher risk of getting targeted with mercenary spyware are advised to activate Lockdown Mode (only on Apple devices), as it’s known to have blocked some attacks.
In general, both iPhone and Android phone users should regularly update their devices, set up a passcode, install apps only from official app stores, refrain from clicking on links or attachments from unknown senders, and install a mobile security solution that can detect malware and check whether the device has been rooted.
Rebooting one’s mobile device daily is also a good idea, because mercenary spyware often has no persistence capability. This will force attackers to re-infect it the device over and over again and, as Kaspersky researchers discovered, they might occasionally give up.
Security researchers and tech-savvy users have other ways to verify whether a device has been compromised by mercenary spyware, e.g., by using Amnesty International’s Mobile Verification Toolkit or Kaspersky’s iShutdown utility.
“The iVerify [Basic] App does not have the privileges to uninstall the malware. In case an infection is found we will display to the user steps that can be taken to remove it,” Frielingsdorf told us.
“Our enterprise solution does have the capability to take action on the device should that be utilized by the organization.”
Activists, journalists, human rights defenders, or members of a civil society group who suspect they might have been infected with spyware can also contact Access Now for help.