Over the weekend, an international media consortium reported that several authoritarian governments including Mexico, Morocco and the UAE used spyware developed by the NSO Group to attack the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.
A leaked list of 50,000 phone numbers of potential surveillance targets was obtained from the Paris-based nonprofit journalism organization Forbidden Stories AND Amnesty International and shared with the reporting consortium, including The Washington Post AND Guardian. The researchers analyzed the phones of dozens of victims to confirm that they were targeted by NSO spy Pegasus, who could have access to all the data on a person’s phone. The reports also confirm new details of the government’s own clients, which NSO Group keeps close. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million inhabitants, has been named as an OST client.
The report shows for the first time how many individuals are the targets of NSO device level intrusive surveillance. Previous reporting had put the number of known victims at hundreds or more than a thousand.
NSO Group vehemently denied the allegations. The NSO has long said it does not know who its customers are targeting, which it reiterated in a statement to TechCrunch on Monday.
Researchers at Amnesty International, whose work was reviewed by Citizen Lab at the University of Toronto, found that the NSO could give Pegasus a victim by sending a link that, when opened, infects the phone, either silently and without any interaction at all. zero-click ”exploit, which takes advantage of vulnerabilities in iPhone software. Citizen Lab researcher Bill Marczak said in a tweet that NSO zero clicks worked on iOS 14.6, which to date was the most updated version.
Amnesty researchers showed their work by publication of detailed technical notes and a toolkit they said could help others identify if their phones were targeted by Pegasus.
Mobile Phone Verification Tools Packaging, or MVT, works on both iPhone and Android devices, but a little differently. Amnesty said more forensic traces were found on the iPhone than Android devices, which makes detection on the iPhone easier. MVT will allow you to get a full backup of your iPhone (or a full system deposit if you have disconnected your phone) and feed on any Compromise Indicators (IOCs) known to be used by the NSO to offer Pegasus, such as domain names used in the NSO infrastructure that can be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a brand new copy.
The toolkit works on the command line, so it is not a refined and sleek user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a backup of an iPhone, which you will want to do if you want to check up to the clock. To get the tool ready to scan your phone for Pegasus signs, you will need to eat at Amnesty IOC, which has on its GitHub page. Whenever the update indicators compromise the file, download and use an updated copy.
Once you have started the process, package the tools scans your iPhone backup file for any test of compromise. The process took about a minute or two to run and spit out several files in a folder with scan results. If the tool packaging finds a possible compromise, it will say so in the output files. In our case, we received a “discovery” which turned out to be a false positive and was removed by the IOC after we checked with Amnesty researchers. A new scan using updated IOCs returned no signs of compromise.
As it is more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device for reserving text messages related to domains known to be used by the NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.
The toolkit is while the command line tools are relatively simple to use, although the project is open source so it will not be long before someone is sure to build a user interface for it. project detailed documentation will help you as he helped us.
