Mobile Malware – Spyware in 2021

The threat posed by mobile malware has been on a sharp increase over the course of the last several years. The number of new malware variants for mobile has recently been attributed a 54% rise since 2018 alone. Typical mobile malware targets have always been devices run on Android operating systems, however recent statistics have reported a staggering 165% increase in Mac iOS malware [Purplesec]. Famously known for their reputation among information security researchers as the most secure mobile device, Apple is currently facing their biggest challenge yet as they go up against the newest versions of Pegasus spyware.

What is it?

Pegasus is a malware created by the Israeli NSO Group. The software was created for government use in counter terror activities, and to combat corruption through the ability to infiltrate a suspect’s device with next to no detection risk.

Where does it come from?

Pegasus first came to light in 2016 when an unsuccessful attempt to hack the device of United Arab Emirates human rights activist, Ahmed Mansoor, was uncovered. Since then, it has been exploited by hackers and APT groups in a wave of various breaches.

Perhaps the most prevalent, and the first real-world instance of a Pegasus breach, was of encrypted messaging app, WhatsApp. The application was leveraged to provide installation of the Pegasus malware, without detection. Information security researchers discovered that a vulnerability in the voice call function of WhatsApp was exploited, which allowed the malware to be installed through the backdoor internet connection whilst the call was in session, or being established. It meant that, even if the device user did not answer the call, the malware could still compromise the device, and would then delete the malicious call from the phone’s log, removing any visible traces of breach.

How does it work?

Once installed, the Pegasus spyware has access to everything. Users with compromised devices will find that their hacker has access to live time, GPS locational data, which can be linked with other software to divulge who the compromised user is with; all messaging apps, including those that are encrypted; phone and microphone access, so hackers can watch and listen even when the victim is not within the app; log keystrokes, storing any emails or messages sent off of the device; record calls, so hackers can listen and save down past calls. Hackers have also been recorded to be able to bypass 2FA authentication and collect biometric and password data from compromised devices. Pegasus operates incognito, meaning whenever a hacker has access any one of these features, the compromised device will not register it via notifications, battery-usage, or even activation of the lock-screen.

To compromise a device in the first instance, Pegasus uses two prominent vectors for attack: one-click, and most worryingly, zero-click.

One-click

The initial vector used in the unsuccessful attempt on Ahmed Mansoor: used in tandem with a phishing or smishing scam, a link to a malicious website called Anonymizer will be sent to the victim’s device. The website is linked with the malware operator’s server which, once the link is clicked by the victim, will analyse the device to identify if they have the resources to be able to exploit that particular model. If successful, the malware installation will be made through the website; if it fails, the victim will be redirected to a legitimate site to avoid any suspicions.

Zero-click

The most dangerous vector that the likes of Apple in particular is facing at this moment in time. Similar to how WhatsApp was leveraged, zero-click vectors can remotely compromise devices with next to no user interaction with the spyware trigger required. This vector exploits primarily zero-day vulnerabilities and flaws in the core software code that developers are not yet aware of. With the majority of smartphones now able to automatically receive push messages, hackers have also exploited this avenue by delivering malicious links within an SMS or iMessage, meaning the link is already on the phone and able to compromise without a click. The sophistication of attack vector that Apple is up against is extremely high, with hackers working tirelessly around the clock to combat the defences Apple is repeatedly putting up to protect its software.

What’s the main threat?

Currently, there is no need for the general, commercial public to worry too much about the Pegasus spyware on their phones. Due to the amount of work that hackers have to do behind the scenes to bypass the advanced software protection of the likes of Apple, the software is very expensive. Customers of Pegasus buy licenses based on how many people they want to be keeping an eye on, and therefore these figures (of recent) have been exclusively of note, such as Cabinet Members, Supreme Court judges, and journalists.

Whilst the general population may not be at too much risk of high-profile attack attempts through zero-click vectors and Pegasus spyware, that’s not to say that the risk is not there, particularly for high-level, C-suite senior executives or business leaders. Many hackers have been exploiting the use of commercially available spyware reserved for child protection monitoring, and using it (highly illegally) on unsuspecting victims. Whilst this is not as an advanced breach method as the high-level Pegasus attacks, it’s always advised to practise good cybersecurity hygiene and be aware and on the lookout for malicious links.

What does the recovery look like?

The outlook is grim for a device infected with spyware, particularly software like Pegasus. Victim users should expect to lose all data. In the case of Pegasus, the software will destroy itself, erasing all data on itself and the device if triggered, or if it hasn’t been contacted by its malicious operator for 60 days.

Backing up devices can also provide more harm than good, as it means saving compromised versions of the data with the malware still attached. Thus, when the backup is uploaded to a clean device, it will also compromise that device too. 

Are you looking for assistance with your organisation’s mobile device security? To find out more about how Serbus can assist in securing your remote workers and ensure an advanced level of protection on your devices, get in touch today by emailing [email protected], or call our office on +44 (0)1432 870 879.