Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians, and business executives. A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism nonprofit Forbidden Stories and Amnesty International and shared with the reporting consortium, including The Washington Post and The Guardian.
Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which canon a person’s phone. The reporting shows how many individuals are likely targets of NSO’s intrusive device-level surveillance for the first time. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named an NSO customer. Previous reporting had or more than a thousand.
NSO Group sharply rejected the claims. NSO has long said that it doesn’t know its target customers, which it reiterated in a statement to TechCrunch on Monday. Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which, when opened, infects the phone or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak tweeted that NSO’s zero-clicks worked on iOS 14.6, the most up-to-date version until today.
Amnesty’s researchers showed their work by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus. The Mobile Verification Toolkit, or MVT, works on both iPhones and, but slightly differently. Amnesty said that more forensic traces were found on iPhones than on , making them easier to detect on iPhones. MVT will backup (or a complete system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO infrastructure that might be sent by text message or email. If you have an , you can also use MVT to decrypt your backup without making a whole new copy.
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of navigating the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of a compromise file update, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the scan results. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.
Given it’s more challenging to detect an Android infection, MVT takes a similar but more straightforward approach by scanning your Android device backup forwith links to domains known to be used by NSO. The toolkit also on your device. The toolkit is — as command-line tools go — relatively simple to use, though the project is open-source, it won’t be long before someone builds a for it. The project’s detailed documentation will help you — as it did us.