The big picture: Pegasus spyware developed by Israeli cyber-intelligence firm NSO Group has been infecting Android and iOS devices for more than a decade. The sophisticated spy software is difficult to detect, often requiring specialized forensic skills that were not cheap to obtain. As a result, a narrative developed that Pegasus was a rare threat and really only something that high-profile targets like journalists and political activists had to be concerned about. A recent investigation from iVerify, however, suggests this assumption might not be entirely accurate.
The mobile threat hunting company rolled out a new feature back in May 2024 that allows customers to conduct a professional-grade security scan of their mobile device without having to consult a forensics expert. Of the 2,500 self-initiated scans, Pegasus was discovered on seven devices.
Sure, seven installations out of 2,500 isn't overwhelming (it is fewer than 0.28 percent of all scans). What's more, the sample size is relatively small and is a bit skewed because it involves targeted users that already have an interest in device security. Still, it is noteworthy.
iVerify COO Rocky Cole told Wired that the people targeted are not just high profile journalists or activists, but also business leaders, people running commercial enterprises, and government leaders.
"It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that's been out there that mercenary spyware is being abused to target activists," Cole said. "It is doing that, absolutely, but this cross section of society was surprising to find."
The infections spanned a range of operating system versions and installation timelines as well. One instance was installed in late 2023 on iOS 16.6 while another originated in November 2022 on iOS 15. The five others dated back to 2021 across iOS 14 and iOS 15. In all cases, Pegasus was undetected by traditional security measures.
iVerify co-founder Matthias Frielingsdorf will be presenting the firm's full findings at the Objective by the Sea security conference later this week.
Those interested in scanning their device can do so by downloading the iVerify Basic app. It sells for $0.99 and includes the option to conduct a one-time threat hunt in about five minutes. iVerify also offers EDR and Elite-level subscriptions for corporate, government, and other high-value targets.
Image credit: Point Normal