How to Detect Pegasus Spyware: A Complete Guide

Updated: May 6, 2023

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

By now, you are probably aware that the internet is not the safest place to be. Between hackers and malware lurking in emails, ads, and regular web pages, it’s hard to know what you can and can’t click on. Still, thanks to a plethora of anti-malware software, you can get some basic protection at the very least, which will be enough in most cases. However, it won’t be enough for some programs, of which Pegasus is the most notorious. This article will inform you what Pegasus spyware is, how to detect it, and shield yourself.

What Is Pegasus?

Pegasus spyware is a hacking program made specifically for iOS and Android, used to collect information from the device it is on. It can enable microphone or camera recording without the knowledge of the phone’s owner and access any data on the phone, including location, documents, media, phone register, or any other app. The software was developed by Israeli company NSO Group (said to be owned by an American venture capital firm, Francisco Partners Management) that markets, distributes, and licenses it to governments worldwide.

Pegasus Software Installation and Use

A failed spear-phishing attempt was the first time this spyware was detected. An email was supposed to lead its receiver to click on an attachment to download and activate the malicious software.

Since then, both NSO and its technology have evolved. The company integrated a “zero-click” attack system, which means clicking on a specific file is not required for the spyware to activate. It will also exploit “zero-day” vulnerabilities: OS flaws not even the phone manufacturer is yet aware of and is hence unable to fix them immediately.

This is precisely why normal anti-malware can’t detect Pegasus, as most of them are programmed to rectify already known issues. Pegasus is known to specifically target high-profile individuals, like politicians, government officials, etc. Offered to governments and state agencies worldwide (FBI, for one), it has already been uncovered that people like the current French president, Emmanuel Macron, were just some of its victims last year.

Your Phone with Pegasus

The main characteristic of Pegasus, as is with spyware in general, is that it is not supposed to be noticeable while active. To the user, everything should seem normal, while the software is collecting data in the background. Anti-malware cannot detect the anomaly as it’s focused on installed apps and their code to figure out their purpose. If your antivirus finds a wolf in sheep’s clothing, so to speak, it will dispose of it immediately.

However, Pegasus can be implemented in different ways that stay hidden from traditional defenses. A phone can be infected through a spear-phishing attempt, although this method is rarely used, due to the flaws in its process. However, it can still work if the hacker has enough information to compose a message that wouldn’t be as obvious.

The second method is the Over-the-Air (OTA) technique. How exactly this method is implemented is a secret, but this feature is how Pegasus stands out from a range of similar solutions. OTA relies on zero-day and zero-click vulnerabilities, using the victim’s phone number or email to send a push message that triggers the device to install Pegasus.

That means hackers only need to have your phone or email address. All they need to do is send you a message or initiate a phone call (whether by Facebook Messenger, WhatsApp, Skype, Viber, etc.) without you having to answer the call or click on anything to activate the spyware. In an instant, your phone is infected with Pegasus.

iphone face down

Exploits

Exploits are loopholes in app or OS programming that Pegasus spyware can find and use to access the device. You can look at spyware programming as a game of chess – as soon as one loophole is discovered, it is patched, but the attackers are always looking for another loophole, and it goes on and on. It takes some serious knowledge to find or create an exploit as well as patch one up. Currently, most of them have been created and patched on iPhones:

Trident 

This exploit consists of three related zero-day vulnerabilities in iOS:

  • Memory Corruption in WebKit – a Safari WebKit vulnerability that gives the attackers access to the device when the user clicks on a link.
  • Kernel Information Leak – A kernel base mapping vulnerability that leaks information to the attacker allowing him to estimate the kernel’s location in memory.
  • Kernel Memory corruption leads to OS jailbreak – 32-bit (iPhone 5 or older) and 64-bit (iPhone 5 or newer) iOS kernel-level vulnerability that gives the attackers freedom to jailbreak the device and silently install surveillance software.

Homage

The “Homage” exploit was in use during the last months of 2019. It involved an iMessage zero-click component that launched a WebKit instance in the Apple media stream process, following a photostream lookup for a Pegasus email address.

Kismet

This zero-day exploit happened in the summer of 2020, starting with iOS 13.5.1, and was patched after iOS 13.7. Though never captured and documented, it was somehow fixed by changes introduced into iOS14, including the “BlastDoor” framework. The last documented case of Kismet was on an iPhone belonging to a Catalan target in December 2020.

How to Detect Pegasus Spyware

Even though it seems like the average user isn’t in danger of being targeted by this software, it doesn’t hurt to know how to protect yourself from it. If you want to know how to check if your phone is tapped, follow its behavior to see if there is even a slight difference, as it can be significant. These changes may be in the form of the following:

  • Faster battery drain
  • Resets and random shutdowns
  • Calls from unknown sources
  • Unusual notifications
  • Prolonged shutdown times and rebooting difficulties
  • Increased storage consumption
  • Sluggish performance
  • A screen that randomly lights up in sleep mode
  • Files with unusual extensions
  • Questionable apps you don’t recollect installing

However, the issue occurs when spyware developers are aware of such irregularities and are working hard to make them unintelligible. Pegasus spyware, for example, hardly drains the battery at all, and as soon as the charge level is below 5%, it will stop transmitting data.

So, how would you detect Pegasus? Well, there are a few options.

How to Detect Pegasus on iOS

As mentioned earlier, a regular iPhone virus scan won’t help much here. iPhones are often the first devices that come to mind when someone mentions Pegasus, as the spyware has uncovered some serious security flaws, up to the point where Apple has sued the NSO group to prevent the company from using its services, devices, or software and “protect its users from further harm and abuse.”

Fortunately, Pegasus isn’t perfect –  on extremely rare occasions, it can be detected.

Mobile Verification Toolkit

The best-known spyware detector for Pegasus is the Mobile Verification Toolkit (MVT), made specifically to combat this spyware. It was created by Amnesty International – yes, that Amnesty International – to determine how big of a threat Pegasus actually is.

In general, once installed on your devices, MVT can:

  • Decypher encrypted iOS data
  • Examine data from the system database, as well as multiple iOS apps
  • Retrieve info on installed Android apps
  • Use ADB (Android Debug Bridge) protocol to retrieve the diagnostic information from the Android device
  • Scan the extracted data for any malicious indicators in STIX2 format
  • Create a sequential timeline of all the retrieved data
  • Create a sequential timeline of all suspicious artifacts and any potentially hazardous traces.

You should also know that there might be some downsides to the tool. For MVT to check the phone for spyware and protect you from Pegasus, it would require you to perform a jailbreak of your phone, meaning to remove factory added restrictions, which is not often recommended. However, since Pegasus exploits the flaws of iOS itself MVT needs access to the same to fight the spyware.

Although MVT can be used to scan both Android and iOS phones, it shows better results for Apple devices, as its Android functionality is restricted to analyzing SMSs and APKs only. Amnesty International has also conducted an in-depth forensic investigation of numerous devices infected with Pegasus and created a very elaborate report, explaining in detail how the investigation was conducted and what resulted from it. 

MVT’s source code is open source, meaning it is available to the general public, although there are some use restrictions covered in the app’s license put there to prevent competitors from making their investigation of the MVT. The phone tool can only be used if the person whose phone is scanned approves.

iVerify

A company called Trail of Bits has produced an app called iVerify – an iOS program meant to detect whether an iPhone or iPad has been hacked, as well as teach users how to protect themselves better. The latest version has been updated to inform the user if there are any signs of your phone being infected with Pegasus.

The differences between MVT and iVerify are that iVerify is consumer-oriented, proprietary software. It has an admin panel, easy-to-use GUI, and, depending on the type of plan you want to buy, costs $3 per user (for enterprises) or $2.99 (for individuals).

Of course, it does not guarantee 100% security. No spyware detector can. The app performs security checks and measures every ten minutes, scanning the system for any sign of jailbreaks or infections. It pays attention to familiar, dangerous, and suspicious files and folders that should not exist in the first place and has “Pegasus spyware detection” as another of its attributes.

A few of iVerify’s core features are:

  • Device scanning to ensure all key settings are properly configured
  • Providing protection guides to educate users on improving their device security
  • Real-time threat detection
  • Security verification of service accounts, as well as social media platforms
  • Secured browsing that protects your privacy surfing the web

The downside of this app is that it is still in the process of development, and the shortcomings are:

  • Limited member management integrations (Azure AD, GSuite, and Okta for SSO)
  • It is not yet supported on Android phones
  • It is not able to tell if certain apps are fitted
  • It is not able to scan network data

How to Detect Pegasus Spyware on Android

Surprisingly, Pegasus spyware on Android phones is not as effective as on iPhones because its rooting technique isn’t 100% reliable. If it cannot access the phone unnoticed, it will ask the user for permission to be effectively deployed. 

As mentioned, due to the lack of traces found on Android in comparison to iPhone, Pegasus malware detection with MVT is limited to only scanning SMSs and APKs – it does not have root access, so a jailbreak won’t help either. As there is no app developed enough to directly protect Android phones from Pegasus, the most secure steps would be:

  • Daily reboots for cleaning unnecessary and harmful files that might be harmful to your phone but are stuck to it due to cookies or similar tracking methods.
  • Installation of the latest patches and OS updates
  • Never use the internet without a VPN masking your traffic. One way to be attacked is via GSM operator MitM exploits on sites using only HTTP, or DNS hijacking.
  • Never click on text-message links, especially from unknown senders. If you are familiar with the sender, check with them before clicking anything.
  • Instead of Chrome, use browsers such as Firefox, Brave, Vivaldi, etc.
  • Get antivirus software to scan your device regularly and ensure you remain safe.

In 2019, WhatsApp updated its app and closed an exploit, notifying 1.400 users targeted using said exploit. Among the targets were political figures and regular people in Catalonia, Spain, who supported independence.

politician walking down stairs

Pegasus in the Air

While, officially, Pegasus fronts as a phone tool meant to “help” governments and intelligence agencies in the war against terrorism, organized crime, and child abuse rings, it’s used against political activists, human-rights activists, NGO leaders, and other vulnerable individuals or organizations.

The First Slip

Ahmed Mansoor

Pegasus spy was first detected trying to infect the iPhone 6 owned by a UAE human rights defender, Ahmed Mansoor. Mansoor received an SMS text promising info on tortured prisoners detained in UAE jails if he clicked on the attached link. Mansoor found the text suspicious and sent it to Citizen Lab researchers, which analyzed the Pegasus spyware in cooperation with Lookout Security.

After inspecting the text, the researchers discovered that the text contained malicious software belonging to the NSO group. Further investigation uncovered a chain of “zero-days” (zero-day exploits), the same type of exploits used by Pegasus spyware, that would have jailbroken Mansoor’s phone and turned it into a spy for the people on the other side.

The Fall of the Most Wanted

Probably the most notorious bust made with the help of Pegasus was that of Joaquín Archivaldo Guzmán Loera, otherwise known as El Chapo. He was the most wanted man in the world after the death of Osama bin Laden in 2011. Mexican authorities had a hard time tracking and apprehending him.

However, after acquiring Pegasus spyware in 2011, the Mexican authorities gained access to encrypted Blackberry phones belonging to cartel members and managed to capture El Chapo in 2014. He managed to escape prison in 2015 and was in contact with TV actress Kate del Castillo, working on creating a TV show based on his life.

The phone used by del Castillo given to her by El Chapo’s lawyers was supposed to be impenetrable to hacking. Still, the NSO group found a workaround and managed to get El Chapo’s phone infected with the spyware, resulting in El Chapo being captured once again in January 2016.

Amongst known Pegasus targets are Emmanuel Macron, King Mohammed VI of Morocco, former prime minister of Pakistan Imran Khan, Charles Michel, the president of the European Council, and plenty of others.

“Off-Center” Targeting

A not-so-unusual method in some hacking operations is something called “off-center” targeting. The technique is based on hacking the devices of friends, relatives, or anyone close to the target.

While in some cases, both the target and partner were targeted, sometimes it was only the partner infected with the Pegasus spyware, creating an additional security layer that is not computer programmed. In Catalonia, two MEPs had family members, staff, or close associates targeted with Pegasus. 

Summary

Pegasus is top-tier spyware; a single use case may cost governments millions. It is fairly easy to see why. Knowing how to detect Pegasus spyware and noticing any abnormalities can save you from further invasion of your privacy and have you take proper steps to protect yourself better.

Further reading

Leave a Comment

Scroll to Top