How to mitigate your risk of being subject to Pegasus surveillance
Over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus (source: The Pegasus Project, 2021). While it's important to note that Pegasus is an expensive toolkit ($2.5 million for an Android zero-click infection chain with persistence), if a human rights defender is an important target for a country, it is likely just a matter of time and resources before this HRD's device gets infected.
Mitigation techniques
Government-grade spyware can be more difficult to detect. However, as noted in a guide on Pegasus published by Kaspersky, there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings:
- Reboots: Reboot your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits with little persistence and so rebooting can hamper attackers.
- Disable iMessage and FaceTime (iOS): As features enabled by default, iMessage and FaceTime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years.
- Use an alternative browser other than Safari or default Chrome: Some exploits do not work well on alternatives such as Firefox Focus.
- Use a trusted, paid VPN service, and install an app that warns when your device has been jailbroken. Some AV apps will perform this check.
It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication. (source)
If you think you may have spyware on your device, you can contact share@amnesty.tech to ask about next steps/what to do. You can also reach out to the Access Now Helpline anytime (24/7) https://www.accessnow.org/help/
Research on Pegasus, and other spyware
Research by Citizen Lab on the use of Pegasus to monitor human rights defenders and journalists.
Forensic Methodology Report: How to catch NSO Group’s Pegasus (2021), by Amnesty International. And this blog post summarizing the latest investigation that the team worked on, focused on the company widely known as the ‘Intellexa Alliance’.
Pegasus Project - Individuals listed, targeted, or compromised - This spreadsheet tracks individuals targeted with NSO’s Pegasus. This includes individuals who are (a) on a list as a person of interest, (b) known to have been targeted, and (c) known to have been compromised.
A 10-minute video about how Pegasus Spyware works, from the 2021 Pegasus Project
Countries known to have purchased and used Pegasus
Americas
- El Salvador - Pegasus found on devices of journalists (Source: Wikipedia)
- Dominican Republic - Pegasus found on devices of journalists (Source: Amnesty International)
- Mexico - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Panama - Pegasus found on devices of political opposition (Source: Wikipedia)
- United States - "In the United States, the FBI confirmed the purchase of a "limited license" of the spyware but said there had been "no operational use in support of any investigation," and that it used the software "for product testing and evaluation only."" (Source: Forbidden Stories)
Africa
- Djibouti - In 2018, the U.S. Central Intelligence Agency purchased Pegasus for the Djibouti government to conduct counter-terrorism operations (despite Djibouti's poor human rights record). (Source: Wikipedia)
- Rwanda - Pegasus found on devices of activists (Source: Wikipedia)
- Togo - Pegasus found on devices of political opposition (Source: Wikipedia)
- Uganda - Pegasus found on devices of foreign diplomats (Source: Wikipedia)
Middle East, North Africa and Gulf
- Bahrain - Pegasus found on devices of activists, bloggers (Source: Wikipedia)
- Iraq - Pegasus found on devices of political opposition, journalists, activists (Source: Wikipedia)
- Israel/Palestine - Pegasus found on devices of journalists, activists (Source: Amnesty International)
- Jordan - Pegasus found on devices of activists (Source: Wikipedia)
- Morocco - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Saudi Arabia - Pegasus found on devices of political opposition, activists, journalists (Source: Wikipedia)
- United Arab Emirates - Pegasus found on devices of activists, journalists, lawyers (Source: Wikipedia)
Europe and Central Asia
- Armenia - Pegasus found on devices of political opposition (Source: Wikipedia)
- Azerbaijan - Pegasus found on devices of journalists and activists (Source: Wikipedia)
- Germany - Pegasus is in use by German Federal Criminal Police Office (BKA) (Source: Wikipedia)
- Hungary - Pegasus found on devices of political opposition, journalists, lawyers (Source: Wikipedia)
- Kazakhstan - Pegasus found on devices of journalists, activists (Source: Wikipedia)
- Netherlands - Pegasus used to spy on a high profile criminal (Source: Wikipedia)
- Poland - Pegasus found on devices of political opposition, journalists (Source: Wikipedia)
- Spain - Pegasus found on devices of political opposition (Source: Wikipedia)
Asia
- India - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Thailand - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
Other spyware
QuaDream (iPhone spyware)
A new investigation reveals how QuaDream, an Israeli cyber mercenary company with close ties to Israeli intelligence agencies, used malicious calendar invites to hack civil society in various regions, including West Asia and North Africa. Full report by Citizen Lab can be found here.
BouldSpy (Android spyware)
The Iranian government has been using the BouldSpy Android malware to spy on minority groups in the country and monitor arms, alcohol, and drugs trafficking. (Source: Security Week)
Predator (Android spyware)
Predator is a commercial Android spyware, which is marketed by the Israeli company Intellexa. (Source: Hacker News)
Candiru (iPhones, Androids, Macs, PCs, and cloud accounts)
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians. (Source: The Citizen Lab)
BadBazaar (Android spyware)
Security researchers have uncovered malicious apps masquerading as Signal and Telegram apps. The apps are being distributed on the Google Play Store and the Samsung Galaxy store. The fake apps, “Signal Plus Messenger” and “Flygram”, both impersonate the Signal app and the Telegram app respectively, and are both aimed at delivering the “BadBazaar” spyware, which has been attributed to a Chinese state actor. BadBazaar has been found to track and monitor victims while exfiltrating sensitive data such as call logs, messages and location information. Once a device is infected, the attacker can link and collect data from the real Signal and Telegram apps on the victim’s phone without any further action by the victim. So far, victims have been detected in Germany, Poland, The United States, Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.
What Can You Do? If you have downloaded apps such as Signal Plus Messenger or Flygram either from a Telegram channel or the Google or Samsung stores, then you may have been seriously compromised. Delete the application immediately then install a good antivirus solution and perform a root scan. Notify your contacts and associates that you may have been compromised so that they can take measures to protect themselves as well. Also, pay attention to the logos and names of apps you are downloading and make sure they are not fake apps with either the name or logo (lookalike) of a popular app. Lastly, do not download or “update” apps from Telegram channels or unofficial distribution sites
