In-depth analysis of Pegasus spyware and how to detect it on your iOS device

How does Pegasus and other spyware work discreetly to access everything on your iOS device?
Introduction

In today’s digital age, mobile phones and devices have evolved from being exclusive to a few to becoming an absolute need for everyone, aiding us in both personal and professional pursuits. However, these devices, often considered personal, can compromise our privacy when accessed by nefarious cybercriminals.

Malicious mobile software has time and again been wielded as a sneaky weapon to compromise the sensitive information of targeted individuals. Cybercriminals build complex applications capable of operating on victims’ devices unbeknownst to them, concealing the threat and the intentions behind it. Despite the common belief among iOS users that their devices offer complete security, shielding them from such attacks, recent developments, such as the emergence of Pegasus spyware, have shattered this pretense.

The first iOS exploitation by Pegasus spyware was recorded in August 2016, facilitated through spear-phishing attempts—text messages or emails that trick a target into clicking on a malicious link.

What is Pegasus spyware?

Developed by the Israeli company NSO Group, Pegasus spyware is malicious software designed to gather sensitive information from devices and users illicitly. Initially licensed by governments for targeted cyber espionage purposes, it is a sophisticated tool for remotely placing spyware on targeted devices to pry into and reveal information. Its ‘zero-click’ capability makes it particularly dangerous as it can infiltrate devices without any action required from the user.

Pegasus can gather a wide range of sensitive information from infected devices, including messages, audio logs, GPS location, device information, and more. It can also remotely activate the device’s camera and microphone, essentially turning the device into a powerful tool for illegal surveillance.

Over time, NSO Group has become more creative in its methods of unwarranted intrusions into devices. The company, which was founded in 2010, claims itself to be a “leader” in mobile and cellular cyber warfare.

Pegasus is also capable of accessing data from both iOS and Android-powered devices. The fact that it can be deployed through convenient gateways such as SMS, WhatsApp, or iMessage makes it an effortless tool to trick users into installing the spyware without their knowledge. This poses a significant threat to the privacy and security of individuals and organizations targeted by such attacks.

How does Pegasus spyware work?

Pegasus is extremely efficient due to its strategic development to use zero-day vulnerabilities, code obfuscation, and encryption. NSO Group provides two methods for remotely installing spyware on a target’s device: a zero-click method and a one-click method. The one-click method includes sending the target a regular SMS text message containing a link to a malicious website. This website then exploits vulnerabilities in the target’s web browser, along with any additional exploits needed to implant the spyware.

Zero-click attacks do not require any action from device users to establish an unauthorized connection, as they exploit ‘zero-day’ vulnerabilities to gain entry into the system. Once the spyware is installed, Pegasus actively captures the intended data about the device. After installation, Pegasus needs to be constantly upgraded and managed to adapt to device settings and configurations. Additionally, it may be programmed to uninstall itself or self-destruct if exposed or if it no longer provides valuable information to the threat actor.

Now that we’ve studied what Pegasus is and the privacy concerns it raises for users, this blog will further focus on discussing precautionary and investigation measures. The suggested methodology can be leveraged to detect not just Pegasus spyware but also Operation Triangulation, Predator spyware, and more.

Let’s explore how to check iOS or iPadOS devices for signs of compromise when only an iTunes backup is available and obtaining a full file system dump isn’t a viable option.

In recent years, targeted attacks against iOS devices have made headlines regularly. Although the infections are not widespread and they hardly affect more than 100 devices per wave, such attacks still pose serious risks to Apple users. The risks have appeared as a result of iOS becoming an increasingly complex and open system, over the years, to enhance user experience. A good example of this is the flawed design of the iMessage application, which wasn’t protected through the operating system’s sandbox mechanisms.

Apple failed to patch this flaw with a security feature called BlastDoorin iOS 14, instead implementing a Lockdown Mode mechanism that, for now, cybercriminals have not been able to bypass. Learn more about Lockdown Mode here.

While BlastDoor provides a flexible solution through sandbox analysis, Lockdown Mode imposes limitations on iMessage functionality. Nonetheless, the vulnerabilities associated with ImageIO may prompt users to consider disabling iMessage permanently. Another major problem is that there are no mechanisms to examine an infected iOS device directly. Researchers have three options:

Put the device in a safe and wait until an exploit is developed that can extract the full file system dump
Analyze the device’s network traffic (with certain limitations as not all viruses can transmit data via Wi-Fi)
Explore a backup copy of an iOS device, despite data extraction limitations

The backup copy must be taken only with encryption (password protection) as data sets in encrypted and unencrypted copies differ. Here, our analysts focus on the third approach, as it is a pragmatic way to safely examine potential infections without directly interacting with the compromised device. This approach allows researchers to analyze the device’s data in a controlled environment, avoiding any risk of further compromising the device and losing valuable evidence that forms the ground for crucial investigation and analysis.

To conduct research effectively, the users will need either a Mac or Linux device. Linux virtual machines can also be used, but it is recommended that users avoid using Windows Subsystem for Linux as it has issues with forwarding USB ports.

In the analysis performed by Group-IB experts, we use an open-source tool called Mobile Verification Toolkit (MVT), which is supported by a methodology report.

Let’s start with installing dependencies:

sudo apt install python3 python3-pip libusb-1.0-0 sqlite3

Next, install a set of tools for creating and working with iTunes backups:

sudo apt install libimobiledevice-utils

Lastly, install MVT:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install

Now, let’s begin with the analysis. To create a backup, perform the following:

Connect the iOS device and verify the pairing process by entering your passcode.
Enter the following command:

ideviceinfo

Users will receive a substantial output with information about the connected device, such as the iOS version and model type:

ProductName: iPhone OS
ProductType: iPhone12.5
ProductVersion: 17.2.1

After that, users can set a password for the device backup:

idevicebackup2 -i encryption on

Enter the password for the backup copy and confirm it by entering your phone’s passcode.

As mentioned, the above step is crucial to ensure the integrity of the data extracted from the device.

Create the encrypted copy:

idevicebackup2 backup –full /path/to/backup/

This process may take a while depending on the amount of space available on your device. Users will also need to enter the passcode again.

Once the backup is complete (as indicated by the Backup Successful message), the users will need to decrypt it.

To do so, use MVT:

mvt-ios decrypt-backup -p [password] -d /path/to/decrypted /path/to/backup

After being through with the process, users may have successfully decrypted the backup.

Now, let’s check for known indicators. Download the most recent IoCs (Indicators of Compromise):

mvt-ios download-iocs

We can also track IoCs relating to other spyware attacks from several sources, such as:

“NSO Group Pegasus Indicators of Compromise”
“Predator Spyware Indicators of Compromise”
“RCS Lab Spyware Indicators of Compromise”
“Stalkerware Indicators of Compromise”
“Surveillance Campaign linked to mercenary spyware company”
“Quadream KingSpawn Indicators of Compromise”
“Operation Triangulation Indicators of Compromise”
“WyrmSpy and DragonEgg Indicators of Compromise”

The next step is to launch the scanning:

mvt-ios check-backup –output /path/to/output/ /path/to/decrypted/

The users will obtain the following set of JSON files for analysis.

If any infections are detected, the users will receive a *_detected.json file with detections.

Image 1: Result of MVT IOCs scan with four detections

Image 2: The detected results are saved in separate files with “_detected” ending

If there are suspicions of spyware or malware without IOCs, but there are no detections, and a full file system dump isn’t feasible, users will need to work with the resources at hand. The most valuable files in the backup include:

Safari_history.json – check for any suspicious redirects and websites.

“id”: 5,
“url”: “http://yahoo.fr/”,
“visit_id”: 7,
“timestamp”: 726652004.790012,
“isodate”: “2024-01-11 07:46:44.790012”,
“redirect_source”: null,
“redirect_destination”: 8,
“safari_history_db”: “1a/1a0e7afc19d307da602ccdcece51af33afe92c53”

Datausage.json – check for suspicious processes.

“first_isodate”: “2023-11-21 15:39:34.001225”,
“isodate”: “2023-12-14 03:05:02.321592”,
“proc_name”: “mDNSResponder/com.apple.datausage.maps”,
“bundle_id”: “com.apple.datausage.maps”,
“proc_id”: 69,
“wifi_in”: 0.0,
“wifi_out”: 0.0,
“wwan_in”: 3381.0,
“wwan_out”: 8224.0,
“live_id”: 130,
“live_proc_id”: 69,
“live_isodate”: “2023-12-14 02:45:10.343919”

Os_analytics_ad_daily.json – check for suspicious processes.

“package”: “storekitd”,
“ts”: “2023-07-11 05:24:31.981691”,
“wifi_in”: 400771.0,
“wifi_out”: 52607.0,
“wwan_in”: 0.0,
“wwan_out”: 0.0

Keeping a backup copy of a control device is required to maintain a record of the current names of legitimate processes within a specific iOS version. This control device can be completely reset and reconfigured with the same iOS version. Although annual releases often introduce significant changes, new legitimate processes may still be added, even within a year, through major system updates.

Sms.json – check for links, the content of these links, and domain information.

        "ROWID": 97,
        "guid": "9CCE3479-D446-65BF-6D00-00FC30F105F1",
        "text": "",
        "replace": 0,
        "service_center": null,
        "handle_id": 1,
        "subject": null,
        "country": null,
        "attributedBody": "",
        "version": 10,
        "type": 0,
        "service": "SMS",
        "account": "P:+66********",
        "account_guid": "54EB51F8-A905-42D5-832E-D98E86E4F919",
        "error": 0,
        "date": 718245997147878016,
        "date_read": 720004865472528896,
        "date_delivered": 0,
        "is_delivered": 1,
        "is_finished": 1,
        "is_emote": 0,
        "is_from_me": 0,
        "is_empty": 0,
        "is_delayed": 0,
        "is_auto_reply": 0,
        "is_prepared": 0,
        "is_read": 1,
        "is_system_message": 0,
        "is_sent": 0,
        "has_dd_results": 1,
        "is_service_message": 0,
        "is_forward": 0,
        "was_downgraded": 0,
        "is_archive": 0,
        "cache_has_attachments": 0,
        "cache_roomnames": null,
        "was_data_detected": 1,
        "was_deduplicated": 0,
        "is_audio_message": 0,
        "is_played": 0,
        "date_played": 0,
        "item_type": 0,
        "other_handle": 0,
        "group_title": null,
        "group_action_type": 0,
        "share_status": 0,
        "share_direction": 0,
        "is_expirable": 0,
        "expire_state": 0,
        "message_action_type": 0,
        "message_source": 0,
        "associated_message_guid": null,
        "associated_message_type": 0,
        "balloon_bundle_id": null,
        "payload_data": null,
        "expressive_send_style_id": null,
        "associated_message_range_location": 0,
        "associated_message_range_length": 0,
        "time_expressive_send_played": 0,
        "message_summary_info": null,
        "ck_sync_state": 0,
        "ck_record_id": null,
        "ck_record_change_tag": null,
        "destination_caller_id": "+66926477437",
        "is_corrupt": 0,
        "reply_to_guid": "814A603F-4FEC-7442-0CBF-970C14217E1B",
        "sort_id": 0,
        "is_spam": 0,
        "has_unseen_mention": 0,
        "thread_originator_guid": null,
        "thread_originator_part": null,
        "syndication_ranges": null,
        "synced_syndication_ranges": null,
        "was_delivered_quietly": 0,
        "did_notify_recipient": 0,
        "date_retracted": 0,
        "date_edited": 0,
        "was_detonated": 0,
        "part_count": 1,
        "is_stewie": 0,
        "is_kt_verified": 0,
        "is_sos": 0,
        "is_critical": 0,
        "bia_reference_id": null,
        "fallback_hash": "s:mailto:ais|(null)(4)<7AD4E8732BAF100ABBAF4FAE21CBC3AE05487253AC4F373B7D1470FDED6CFE91>",
        "phone_number": "AIS",
        "isodate": "2023-10-06 00:46:37.000000",
        "isodate_read": "2023-10-26 09:21:05.000000",
        "direction": "received",
        "links": [
            "https://m.ais.co.th/J1Hpm91ix"
        ]
    },

Sms_attachments.json – check for suspicious attachments.

        "attachment_id": 4,
        "ROWID": 4,
        "guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "created_date": 726724286,
        "start_date": "",
        "filename": "~/Library/SMS/Attachments/b8/08/97883E8C-99FA-40ED-8E78-36DAC89B2939/IMG_0005.HEIC",
        "uti": "public.heic",
        "mime_type": "image/heic",
        "transfer_state": 5,
        "is_outgoing": 1,
        "user_info": ",
        "transfer_name": "IMG_0005.HEIC",
        "total_bytes": 1614577,
        "is_sticker": 0,
        "sticker_user_info": null,
        "attribution_info": null,
        "hide_attachment": 0,
        "ck_sync_state": 0,
        "ck_server_change_token_blob": null,
        "ck_record_id": null,
        "original_guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "is_commsafety_sensitive": 0,
        "service": "iMessage",
        "phone_number": "*",
        "isodate": "2024-01-12 03:51:26.000000",
        "direction": "sent",
        "has_user_info": true
    }

Webkit_session_resource_log.json andwebkit_resource_load_statistics.json – check for suspicious domains.

{
        "domain_id": 22,
        "registrable_domain": "sitecdn.com",
        "last_seen": 1704959295.0,
        "had_user_interaction": false,
        "last_seen_isodate": "2024-01-11 07:48:15.000000",
        "domain": "AppDomain-com.apple.mobilesafari",
        "path": "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db"
    }

Tcc.json – check which applications have been granted which permissions.

        "service": "kTCCServiceMotion",
        "client": "com.apple.Health",
        "client_type": "bundle_id",
        "auth_value": "allowed",
        "auth_reason_desc": "system_set",
        "last_modified": "2023-07-11 06:25:15.000000"

To collect data about processes, users can use XCode Instruments.

Note: Developer mode must be enabled on the iOS device.

Image 3: Showcasing XCode instruments profile selection

Process data collection:

Image 4: Process list from iPhone

Overcoming the iOS interception challenge

For the common public

iOS security architecture typically prevents normal apps from performing unauthorized surveillance. However, a jailbroken device can bypass these security measures. Pegasus and other mobile malware may exploit remote jailbreak exploits to steer clear of detection by security mechanisms. This enables operators to install new software, extract data, and monitor and collect information from targeted devices.

Warning signs of an infection on the device include:

Slower device performance
Spontaneous reboots or shutdowns
Rapid battery drain
Appearance of previously uninstalled applications
Unexpected redirects to unfamiliar websites

This reinstates the critical importance of maintaining up-to-date devices and prioritizing mobile security. Recommendations for end-users include:

Avoid clicking on suspicious links
Review app permissions regularly
Enable Lockdown mode for protection against spyware attacks
Consider disabling iMessage and FaceTime for added security
Always install the updated version of the iOS

For businesses: Protect against Pegasus and other APT mobile malware

Securing mobile devices, applications, and APIs is crucial, particularly when they handle financial transactions and store sensitive data. Organizations operating in critical sectors, government, and other industries are prime targets for cyberattacks such as espionage and more, especially high-level employees.

Researching iOS devices presents challenges due to the closed nature of the system. Group-IB Threat Intelligence, however, helps organizations worldwide identify cyber threats in different environments, including iOS, with our recent discovery being GoldPickaxe.iOS – the first iOS Trojan harvesting facial scans and using them to potentially gain unauthorized access to bank accounts. Group-IB Threat Intelligence provides a constant feed on new and previously conducted cyber attacks, the tactics, techniques, and behaviors of threat actors, and susceptibility of attacks based on your organization’s risk profile— giving a clear picture of how your devices can be exploited by vectors, to initiate timely and effective defense mechanisms.

If you suspect your iOS or Android device has been compromised by Pegasus or similar spyware, turn to our experts for immediate support. To perform device analysis or set up additional security measures, organizations can also get in touch with Group-IB’s Digital Forensics team for assistance.