Unauthorized surveillance and breaches with Predator & Pegasus

Indicators of compromise and how to protect

Predator and Pegasus are spyware programs that can be covertly installed on mobile phones and other devices running Android and iOS, exploiting all the latest versions of mobile operating systems. Various studies and publications indicate that journalists, politicians, government officials, chief executives and directors are the most common targets.

Modus Operandi

The examination of infected devices in our Forensic Lab indicates that these
spyware programs infect the devices by triggering a crafted SMS or instant
Message to urge the targeted individuals to click on malicious links, coming
however from “known” senders. There are other mechanisms via which the targeted user is not even required to click on malicious URLs and still their devices get compromised, through the use of apps. Such spyware can be customized to capture screenshots, intercept communication and copy browsing history and contacts from the infected device. It can also compromise the most common used messaging platforms. 

Indicators of Compromise

Studies, researches and our experience from infected devices indicate a variety of different methods to identify cases of compromise from spyware like Pegasus and Predator:

1. Network injection attacks

These spyware programs forcefully redirect benign pages to malicious ones leading to exposure of the targeted devices.

2. Malicious processes

The presence of certain processes in the phone memory may indicate that the device is compromised.

3. Usage of inbuilt applications

  • The threat actor uses known instant message applications to deliver the spyware on the system, thus making it vulnerable.
  • Pegasus and Predator use music applications to deliver their payload, where an HTTP request is generated from the music app that points to malicious network infrastructure as well.
  • Photos apps have been utilized by the threat actors to deploy the spyware in the devices, misusing its functionalities.

4. Camouflaging itself

  • Predator / Pegasus disguise its malicious processes as system services, making it difficult to differentiate.
  • Domain addresses used by Predator and Pegasus indicate that these spyware programs delete the trail of malicious processes from internal devices’ logs and databases.
  • Malicious domain addresses reside often in SMS, instant message applications, or e-mail. 

Detective measures:

  • Monitor your mobile’s data usage.
  • Be alerted in case of unexpected interruptions of calls.
  • Check your device’s temperature especially when idle.
  • Be alerted if the device turns on automatically.
  • Be careful of new services and / or application recently installed on your devices without your permission.

How to be protected: 

  • Only links from known and trusted sources should be opened.
  • The devices should be updated with the latest OS versions.
  • Avoid using public / free WI-FI services when accessing any sensitive information. Using a VPN is recommended if there are needs for confidential matters.
  • Familiarize with known suspicious URLs from Predator and Pegasus libraries available to the public. The lists keep changing so it is recommended to periodically check them.
  • If any unknown links / URLs need to be checked / opened, make use of reputable search engines.
  • The devices should have up-to-date antivirus apps.

How Deloitte can help you

Our Digital Forensic Specialists can investigate all suspected devices for indicators of compromise, the magnitude of the breach and the files accessed from the Spyware. This type of investigation requires specialized software and hardware that we possess locally in our Athens Digital Forensic Lab, while our Certified Digital Forensic Specialists can provide clarity under globally admissible methodologies and strict confidentiality.

Did you find this useful?