Pegasus: Amnesty releases new tool to check whether invasive spyware is secretly installed on a phone

The tool could have been installed using a ‘zero-click’ exploit, so users would have no idea it was on their phone

Adam Smith
Tuesday 20 July 2021 05:47 EDT
Comments
NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click
NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click (AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Amnesty International has released a toolkit to help people find out if their phone was secretly monitored by Pegasus, the military-grade spyware that targeted human rights activists, journalists, and lawyers around the world.

The software scans devices for the small clues that are left behind if a phone is infected by the Pegasus spyware.

A leaked list of 50,000 phone numbers was obtained by journalism non-profit Forbidden Stories and Amnesty before being shared with the media.

The spyware, built by Israeli firm NSO Group, can be used to record calls, copy and send messages or even film people via phone cameras. The spyware can and has been used to target both Apple iOS and Android devices.

NSO Group denied “false claims” made in the report, as did the governments of Hungary, Morocco, India, and Rwanda that have allegedly used the technology.

Early versions of the software required targets to click malicious links, giving unauthorised persons access to the victim’s private data, including passwords, calls, texts and emails, but experts believe the software has advanced so that targets do not have to click any link to have the spyware installed.

Amnesty’s researcher toolkit, the Mobile Verification Toolkit (MVT), works on both iOS and Android devices to help users find out if they have been targeted. It uses a device backup and searches it for any indicators of compromise that would be used to deliver Pegasus, such as domain names used in NSO Group infrastructure.

If an iPhone backup is encrypted, the MVT can be used to decrypt it without having to make another copy.

The toolkit works using the command line, requiring basic knowledge on how to navigate the terminal. TechCrunch said it took approximately 10 minutes to have the tool operational.

When it is started, the toolkit scans a backup of the phone for any evidence that it has been hacked. It takes a minute or two to do so, and creates a number of files that show the results of the scan – if the phone is potentially compromised, those files will say so.

While NSO Group has denied the report, Amnesty International Security Lab said its forensic analyses found results that were “consistent with past analyses of journalists targeted through NSO’s spyware, including the dozens of journalists allegedly hacked in the UAE and Saudi Arabia and identified by Citizen Lab in December of last year”.

Claudio Guarnieri, director of Amnesty International’s Security Lab, said: “There are a bunch of different pieces, essentially, and they all fit together very well. There’s no doubt in my mind that what we’re looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in