Israeli spyware company NSO Group claims its multi-million dollar surveillance tool, dubbed Pegasus, can extract data from services like Google Drive or iCloud via infected iPhones. Thankfully, Amnesty International’s new tool can check if your phone runs Pegasus spyware.
If you’re worried that your iPhone might’ve been infected with Pegasus, don’t.
Pegasus is a sophisticated, expensive government-grade spyware rather than a typical app you could purchase online. Due to the high cost of entry, only deep-pocketed dictators, rogue regimes and state-sponsored actors can purchase a license to use it.
How to check iPhone for Pegasus spyware
But we understand that this explanation may not be satisfactory and that you may be interested in confirming that your iPhone has not been infected with the Pegasus spyware. If so, Amnesty International has released a tool to do just that.
→ How to fix the “Waiting for activation” issue in iMessage and FaceTime
While the process is a bit technical and involves Terminal, Xcode and such, it’s not too complicated. Basically, you must first back up your iPhone to a separate computer before you can run NSO’s tool which will go to work and check your device backup for signs of infection.
For more info, read a write-up by The Verge and Amnesty International’s instructions.
How Pegasus infects iPhones via iMessage exploits
NSO Group and its products were previously accused of state-sponsored phone hacking because Pegasus is typically used by governments and authoritarian regimes.
But up until recently, we were in the dark as to how the software actually infects devices.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
— Bill Marczak (@billmarczak) July 18, 2021
As major news organizations revealed in a big scoop based on findings by the Amnesty International, NSO’s surveillance software can be injected remotely on a target device via an iMessage that doesn’t even produce a notification nor does it require any action from the user.
This apparently takes advantage not only of zero-day exploits but also vulnerabilities in the iMessage protocol caused by Apple’s use of common data-parsing libraries known for memory leaks. Apple’s attempted to fix this by adding a firewall system to iMessage, called BlastDoor.
I promise you @Apple has no idea how deep the iceberg of targeted iOS malware goes. Not by a long shot. They’ve just accepted it as an unremarkable inevitability and we can’t.
— J. A. Guerrero-Saade (@juanandres_gs) July 18, 2021
While BlastDoor was designed to segment incoming iMessage content in case it contained malicious links or code, it hasn’t managed to stop these attacks at all. Making matters worse are exploits in other parts of the operating system, like the ImageIO framework which provides, among other things, image-parsing features for JPEG and GIF files.
But if Apple wants to plug those problematic holes in the iMessage system, then we’re afraid the company has no other choice but gradually rewrite iMessage from scratch using either proven libraries or write its own libraries for safe parsing of incoming content.