A new phone scanner that detects spyware has already identified 7 infections from Pegasus.

In recent years, the use of commercial spyware has increased significantly, encompassing a broader spectrum of victims. However, the prevailing narrative continues to be that this type of malware is used in targeted attacks on a very small number of individuals. Alongside this, checking devices for potential infections has been a challenge, leading many people to turn to various academic institutions and NGOs that are developing forensic techniques to detect mobile spyware.

Recently, the mobile device security company iVerify announced the results of a new spyware detection feature it launched in May. Out of the 2,500 device scans that customers chose to submit for review, seven showed infections of the Pegasus malware, linked to the NSO Group. iVerify's new feature, called Mobile Threat Hunting, combines signature-based malware detection, heuristics, and machine learning to identify irregularities in the activity of iOS and Android devices, as well as signs of spyware infection. For paying subscribers, the tool conducts checks regularly. Additionally, iVerify offers a free version of the feature to users who download the iVerify Basics app, which costs $1. Through this app, users can send a diagnostic file to iVerify and receive an analysis within a few hours, although the free usage is limited to once a month.

iVerify's system is designed to maintain privacy, but to use the Mobile Threat Hunting feature, users must provide an email address, allowing the company to contact them if spyware is detected. “What’s truly fascinating is that the individuals who were targeted were not only journalists and activists but also business leaders and government figures,” said Rocky Cole, COO of iVerify and former NSA analyst. “This target profile is more in line with typical malware patterns rather than the narrative that mercenary spyware is only used to hunt activists. This certainly happens, but this cross-section of society was surprising to discover.”

While seven infections out of 2,500 scans may seem like a low number, particularly among a group of iVerify users looking to monitor their mobile device security, the existence of these detections indicates a wider proliferation of spyware in the world. According to an NSO Group spokesperson, the company sells its products exclusively to intelligence and law enforcement agencies in the United States and Israel, and its clients use these technologies on a daily basis.

Cole notes that developing the detection tool required a significant investment, as mobile operating systems like Android and iOS are more restrictive than traditional desktop operating systems, limiting monitoring software's access to critical system levels. The key was to use telemetry data as close to the core of the system as possible to fine-tune machine learning models. Some spyware, like Pegasus, has distinctive features that make it easier to detect.

The development of this detection capability has been immensely helpful. Cole mentions that it allowed iVerify to identify signs of compromise on the phone of Gurpatwant Singh Pannun, a lawyer and political activist, who was the target of a purportedly thwarted assassination attempt. Similarly, the Mobile Threat Hunting feature alerted about suspicious activities from state actors on the mobile devices of two campaign officials during the presidential elections.

“The era of assuming that iPhones and Android phones are secure by default is over,” Cole declared. “The tools to know if your phone has spyware were not common, and there were technical barriers that left many people unprotected. Now, anyone can detect if their device is infected with commercial spyware, and the infection rate is much higher than previously believed.”