How to mitigate your risk of being subject to Pegasus surveillance
Over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus (source: The Pegasus Project, 2021). While it's important to note that Pegasus is an expensive toolkit ($2.5 million for an Android zero-click infection chain with persistence), if a human rights defender is an important target for a country, it is likely just a matter of time and resources before this HRD's device gets infected.
Mitigation techniques
Government-grade spyware can be more difficult to detect. However, as noted in a guide on Pegasus published by Kaspersky, there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings:
- Enable Lockdown Mode to disable features that create vulnerabilities to spyware - see Secure your devices#Disable features that create vulnerabilities (Lockdown Mode)
- Reboots: Reboot your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits with little persistence and so rebooting can hamper attackers.
- Disable iMessage and FaceTime (iOS): As features enabled by default, iMessage and FaceTime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years.
- Use an alternative browser other than Safari or default Chrome: Some exploits do not work well on alternatives such as Firefox Focus.
- Use a trusted, paid VPN service, and install an app that warns when your device has been jailbroken. Some AV apps will perform this check.
It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication. (source)
If you think you may have spyware on your device, you can contact [email protected] to ask about next steps/what to do. You can also reach out to the Access Now Helpline anytime (24/7) https://www.accessnow.org/help/
Countries known to have purchased and used Pegasus or Predator
Americas
- El Salvador - Pegasus found on devices of journalists (Source: Wikipedia)
- Dominican Republic - Pegasus found on devices of journalists (Source: Amnesty International)
- Mexico - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Panama - Pegasus found on devices of political opposition (Source: Wikipedia)
- Trinidad Tobago - Evidence of the use of Predator (Source: Recorded Future)
- United States - "In the United States, the FBI confirmed the purchase of a "limited license" of the spyware but said there had been "no operational use in support of any investigation," and that it used the software "for product testing and evaluation only."" (Source: Forbidden Stories)
Africa
- Angola - Evidence of the use of Predator (Source: Recorded Future)
- Botswana - Evidence of the use of Predator (Source: Recorded Future)
- Djibouti - In 2018, the U.S. Central Intelligence Agency purchased Pegasus for the Djibouti government to conduct counter-terrorism operations (despite Djibouti's poor human rights record). (Source: Wikipedia)
- Rwanda - Pegasus found on devices of activists (Source: Wikipedia)
- Togo - Pegasus found on devices of political opposition (Source: Wikipedia)
- Uganda - Pegasus found on devices of foreign diplomats (Source: Wikipedia)
Middle East, North Africa and Gulf
- Bahrain - Pegasus found on devices of activists, bloggers (Source: Wikipedia)
- Egypt - Evidence of the use of Predator (Source: Recorded Future)
- Iraq - Pegasus found on devices of political opposition, journalists, activists (Source: Wikipedia)
- Israel/Palestine - Pegasus found on devices of journalists, activists (Source: Amnesty International)
- Jordan - Pegasus found on devices of activists (Source: Wikipedia)
- Morocco - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Oman - Evidence of the use of Predator (Source: Recorded Future)
- Saudi Arabia - Pegasus found on devices of political opposition, activists, journalists (Source: Wikipedia), Evidence of the use of Predator (Source: Recorded Future)
- United Arab Emirates - Pegasus found on devices of activists, journalists, lawyers (Source: Wikipedia)
Europe and Central Asia
- Armenia - Pegasus found on devices of political opposition (Source: Wikipedia), Evidence of the use of Predator (Source: Recorded Future)
- Azerbaijan - Pegasus found on devices of journalists and activists (Source: Wikipedia)
- Germany - Pegasus is in use by German Federal Criminal Police Office (BKA) (Source: Wikipedia)
- Hungary - Pegasus found on devices of political opposition, journalists, lawyers (Source: Wikipedia)
- Kazakhstan - Pegasus found on devices of journalists, activists (Source: Wikipedia), Evidence of the use of Predator (Source: Recorded Future)
- Netherlands - Pegasus used to spy on a high profile criminal (Source: Wikipedia)
- Poland - Pegasus found on devices of political opposition, journalists (Source: Wikipedia)
- Spain - Pegasus found on devices of political opposition (Source: Wikipedia)
Asia
- India - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
- Indonesia - Evidence of the use of Predator (Source: Recorded Future)
- Mongolia - Evidence of the use of Predator (Source: Recorded Future)
- The Philippines - Evidence of the use of Predator (Source: Recorded Future)
- Thailand - Pegasus found on devices of political opposition, activists (Source: Wikipedia)
Research on Pegasus
Research by Citizen Lab on the use of Pegasus to monitor human rights defenders and journalists.
Forensic Methodology Report: How to catch NSO Group’s Pegasus (2021), by Amnesty International. And this blog post summarizing the latest investigation that the team worked on, focused on the company widely known as the ‘Intellexa Alliance’.
Pegasus Project - Individuals listed, targeted, or compromised - This spreadsheet tracks individuals targeted with NSO’s Pegasus. This includes individuals who are (a) on a list as a person of interest, (b) known to have been targeted, and (c) known to have been compromised.
A 10-minute video about how Pegasus Spyware works, from the 2021 Pegasus Project
Granitt tracks and updates this published list of Pegasus victims research here https://github.com/GranittHQ/data-pegasus-victims
Research on QuaDream (iPhone spyware)
A new investigation reveals how QuaDream, an Israeli cyber mercenary company with close ties to Israeli intelligence agencies, used malicious calendar invites to hack civil society in various regions, including West Asia and North Africa. Full report by Citizen Lab can be found here.
Research on BouldSpy (Android spyware)
The Iranian government has been using the BouldSpy Android malware to spy on minority groups in the country and monitor arms, alcohol, and drugs trafficking. (Source: Security Week)
Research on Predator (Android spyware)
Predator is a commercial Android spyware, which is marketed by the Israeli company Intellexa. (Source: Hacker News)
New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity. (Source: Recorded Future)
Granitt tracks and updates this published list of Predator victims research here https://github.com/GranittHQ/data-predator-victims.
Research on Candiru (iPhones, Androids, Macs, PCs, and cloud accounts)
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians. (Source: The Citizen Lab)
Granitt tracks and updates this published list of Candiru victims research here https://github.com/GranittHQ/data-candiru-victims
Research on BadBazaar (Android spyware)
Security researchers have uncovered malicious apps masquerading as Signal and Telegram apps. The apps are being distributed on the Google Play Store and the Samsung Galaxy store. The fake apps, “Signal Plus Messenger” and “Flygram”, both impersonate the Signal app and the Telegram app respectively, and are both aimed at delivering the “BadBazaar” spyware, which has been attributed to a Chinese state actor. BadBazaar has been found to track and monitor victims while exfiltrating sensitive data such as call logs, messages and location information. Once a device is infected, the attacker can link and collect data from the real Signal and Telegram apps on the victim’s phone without any further action by the victim. So far, victims have been detected in Germany, Poland, The United States, Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.
What Can You Do? If you have downloaded apps such as Signal Plus Messenger or Flygram either from a Telegram channel or the Google or Samsung stores, then you may have been seriously compromised. Delete the application immediately then install a good antivirus solution and perform a root scan. Notify your contacts and associates that you may have been compromised so that they can take measures to protect themselves as well. Also, pay attention to the logos and names of apps you are downloading and make sure they are not fake apps with either the name or logo (lookalike) of a popular app. Lastly, do not download or “update” apps from Telegram channels or unofficial distribution sites