It is generally believed that it is impossible to completely protect yourself from professional surveillance software.
Although it may be very difficult to prevent the successful exploitation and infection of the mobile device, users can still take certain measures that make it hard for the attackers to target them.
According to media reports, it is mostly journalists, politicians, human rights advocates, lawyers and public activists that are increasingly becoming primary targets of such spyware.
So Costin Raiu, head of Kaspersky’s Global Research and Analysis Team (GReAT), has put together a set of recommendations for how mobile users both Android and iOS can protect their devices from Pegasus and other high-end mobile malware.
Pegasus, Chrysaor, Phantom and others are so-called “legal surveillance software”, developed by private companies and widely deployed through a variety of exploits, including several iOS zero-click zero-days. The earliest version of Pegasus was captured by researchers in 2016. Since then, over 30 000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus.
Here’s some advice that increase your resilience against sophisticated mobile malware attacks:
- First, it’s important to reboot mobile devices daily. Reboots help “clean” the device, so to speak, meaning that attackers will have to continually re-install Pegasus on the device – making it much more likely that the infection will eventually be detected by security solutions.
- Keep the mobile device up to date and install the latest patches as soon as they are out. Actually, many of the exploit kits are targeting already patched vulnerabilities, but they’re still dangerous for those people, who run older phones and postpone updates.
- Don’t ever click on links received in messages. This is a simple yet effective advice. Some of Pegasus customers rely on 1-click exploits more than on zero-click ones. These arrive in a form of a message, sometimes by SMS, but can also be via other messengers or even e-mail. If you receive an interesting SMS (or by any other messenger) with a link, open it on a desktop computer, preferably using TOR Browser, or better yet using a secure non-persistent OS such as Tails.
- Moreover, don’t forget to use an alternative web browser for web search. Certain exploits don’t work as well on alternative browsers like Firefox Focus when compared to more traditional browsers such as Safari or Google Chrome.
- Always use a VPN; doing so makes it harder for attackers to target users based on their Internet traffic. When you shop for a VPN subscription, there are few things to consider: look for established services that have been around for some time, can accept payment with cryptocurrencies and do not require you to provide any registration info.
- Install a security application that checks and warns if the device is jailbroken. To persist on a device, attackers using Pegasus will often resort to jailbreaking the targeted device. If a user has a security solution installed, they can then be alerted to the attack.
- If you’re an iOS user, trigger sysdiags often and save them to external backups. Forensics artifacts can help you determine at a later time if you have been targeted. Kaspersky experts also recommend iOS users that are at risk to disable FaceTime and iMessage. As they are enabled by default, it is a top delivery mechanism for zero-click chains and for many years.
“In general, Pegasus attacks are very targeted – meaning they’re not infecting people en masse but rather specific categories,” says Raiu. “Many journalists, lawyers, and human rights activists have been identified as targets of these sophisticated cyberattacks, but they generally lack the tools or knowledge to defend against.”
If you have already become a victim of Pegasus attack, here is some tips what you may do next:
- If you’ve been targeted, try to find a journalist and tell them your story. The thing that eventually brought down many surveillance companies was bad publicity. Reporters and journalists writing about abuses and exposing the lies, wrongdoing and all the evil.
- Change your device – if you were on iOS, try moving to Android for a while. If you were on Android, move to iOS. This might confuse attackers for some time; for instance, some threat actors are known to have purchased exploitation systems that only work on a certain brand of phone and OS.
- Get a secondary device, preferably running GrapheneOS, for secure comms. Use a prepaid SIM card in it, or only connect by Wi-Fi and TOR while in airplane mode.
- Avoid messengers where you need to provide your contacts with your phone number. Once an attacker has your phone number they can easily target you across many different messengers via this – iMessage, WhatsApp, Signal, Telegram, they are all tied to your phone number. An interesting new choice here is Session, which automatically routes your messages through an Onion-style network and doesn’t rely on phone numbers.
- Try to get in touch with a security researcher in your area and constantly discuss best practices. Share artifacts, suspicious messages or logs whenever you think something is odd. Security is never a single snapshot solution that is 100% proof; think of it like a stream that flows and you need to adjust your sailing depending on the speed, currents and obstacles.