Only recently did the world learn about Pegasus spyware, which primarily targeted journalists, politicians, human rights activists and defenders, and lawyers [1]. Protecting yourself completely from such professional surveillance software is almost impossible. However, users can take certain measures that make it difficult for attackers to target them. Kaspersky experts give tips.
Costin Raiu, head of the Global Research and Analysis Team (GReAT) at Kaspersky, has now compiled top-level recommendations on how mobile users of Android and iOS devices can protect themselves against Pegasus and other high-end mobile malware.
Spyware Pegasus – developed “legally”.
Pegasus, Chrysaor, Phantom, and others are so-called "legal surveillance software" developed by private companies and widely distributed via a variety of exploits, including several iOS zero-click zero-days. The earliest version of Pegasus was identified by security researchers back in 2016. Since then, over 30.000 human rights activists, journalists and lawyers around the world may have been monitored with Pegasus [1].
Costin Raiu, Head of Global Research and Analysis Team (GReAT) at Kaspersky, explains:
“In general, Pegasus attacks are highly targeted — meaning they don't infect the general public, but specific categories of people. Many journalists, lawyers and human rights activists have been identified as targets of these sophisticated cyber attacks. They generally lack the tools or knowledge to guard against such attacks. It is our mission to make the world safer, so we will do our best to provide the public with the best protection techniques against malware, hackers and sophisticated threats like these.”
Recommendations for more resistance to Pegasus
- Restart mobile devices daily so that they are "cleaned" by the reboot and attackers are forced to repeatedly install Pegasus on the device.
- Mobile devices should always be up to date; Patches should be installed as soon as they are available.
- Never click on links in received messages. Some of the Pegasus users rely on 1-click exploits rather than zero-click exploits. These come in the form of a message, sometimes via SMS or other messengers as well as email. Such links should be opened - if at all - on a desktop computer and preferably with the TOR browser or - even better - with a safe, non-persistent operating system like Tails. In addition, an alternative, less widespread web browser, such as FireFox instead of Safari and Google Chrome, should be used to search the web.
- Always use a VPN solution. This makes it harder for attackers to target users based on their internet traffic. When choosing a VPN service, it's a good idea to consider well-established services that have been around for some time, accept cryptocurrency payments, and don't require you to provide any registration information.
- Install a security solution [2] that checks and warns when the device is 'jailbroken'. Because in order to stay on a device, attackers using Pegasus often apply a jailbreak of the target device.
- iOS users should frequently trigger sysdiags and store them in external backups. Forensic artifacts can help determine at a later date whether a person has been the victim of an attack. Kaspersky experts also recommend that vulnerable iOS users disable FaceTime and iMessage. Because these are enabled by default, they have been an important transmission mechanism for zero-click chains for many years.
Costin Raiu, Head of Global Research and Analysis Team at Kaspersky (Image: Kaspersky).
Kaspersky tips for victims of Pegasus Spyware
- When organizations or an individual are targeted, they should find a journalist to write about their story. Bad publicity has brought down some surveillance companies.
- Change the operating system. If iOS was used up to now, those affected should switch to Android – and vice versa. This might confuse attackers for a while as some threat actors have acquired systems that only work on a specific smartphone brand and operating system.
- Acquisition of a second device, preferably with GrapheneOS, for secure communication. A prepaid SIM card should be used and the connection should only be established via WLAN and TOR in flight mode.
- Do not use messengers where the contact details must be given together with the telephone number. This way, once an attacker has a phone number, they can easily target a person through various messengers — iMessage, WhatsApp, Signal, and Telegram are all tied to the owner's phone number. An interesting new alternative is Session, which automatically routes messages through an onion-like network that doesn't rely on phone numbers.
- Engage with a local security researcher [3] for an ongoing exchange of best practices and to share artifacts, suspicious messages, or logs. Security is never a single solution that is guaranteed to be secure. Cybersecurity can be compared to a flowing river, where the journey has to be adjusted again and again depending on the speed, current and obstacles.
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/
[1] https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/ [2] https://www.kaspersky.de/enterprise-security/mobile [3] https://twitter.com/craiu