It is
generally believed that it is impossible to completely protect yourself from
professional surveillance software. Although it may be very difficult to prevent
the successful exploitation and infection of the mobile device, users can still
take certain measures that make it hard for the attackers to target them. According
to media reports, it is mostly journalists, politicians, human rights
advocates, lawyers and public activists that are increasingly becoming primary targets
of such spyware, therefore Costin Raiu - the Head of Kaspersky’s Global
Research and Analysis Team (GReAT) - has
put together a set of recommendations for how mobile users both Android and iOS
can protect their devices from Pegasus and other
high-end mobile malware.
Pegasus,
Chrysaor, Phantom and others are so-called “legal surveillance software”, developed by private companies and widely
deployed through a variety of exploits, including several iOS zero-click
zero-days. The earliest version of Pegasus was captured by researchers in 2016.
Since then, over 30,000 human rights activists,
journalists and lawyers across the world may have been targeted using Pegasus.
Here's
some advice that increase your resilience against sophisticated mobile malware
attacks:
- First
of all, it’s important to reboot mobile
devices daily. Reboots help “clean” the device, so to speak, meaning that
attackers will have to continually re-install Pegasus on the device—making it
much more likely that the infection will eventually be detected by security
solutions.
- Keep the mobile device up to date and install the latest patches as soon as they are out. Actually, many
of the exploit kits are targeting already patched vulnerabilities, but they’re
still dangerous for those people, who run older phones and postpone updates.
- Don't ever click on links received
in messages. This
is a simple yet effective advice. Some of Pegasus customers rely on 1-click
exploits more than on zero-click ones. These arrive in a form of a message,
sometimes by SMS, but can also be via other messengers or even e-mail. If you
receive an interesting SMS (or by any other messenger) with a link, open it on
a desktop computer, preferably using TOR Browser, or better yet using a secure
non-persistent OS such as Tails.
- Moreover,
don’t forget to use an alternative web
browser for web search. Certain exploits don’t work as well on alternative
browsers like Firefox Focus when compared to more traditional browsers such as Safari
or Google Chrome.
- Always use a VPN; doing so makes it harder for
attackers to target users based on their internet traffic. When you shop for a
VPN subscription, there are few things to consider: look for established
services that have been around for some time, can accept payment with
cryptocurrencies and do not require you to provide any registration info.
- Install a security application that checks and
warns if the device is jailbroken. To persist on a device, attackers using
Pegasus will often resort to jailbreaking the targeted device. If a user has a
security solution installed, they can then be alerted to the attack.
- If
you're an iOS user, trigger sysdiags
often and save them to external backups. Forensics artifacts can help you
determine at a later time if you have been targeted. Kaspersky experts also
recommend iOS users that are at risk to disable
FaceTime and iMessage. As they are enabled by default, it is a top delivery
mechanism for zero-click chains and for many years.
“In general, Pegasus attacks are very targeted—meaning
they’re not infecting people en masse but rather specific categories. Many
journalists, lawyers, and human rights activists have been identified as targets
of these sophisticated cyberattacks, but they generally lack the tools or
knowledge to defend against. It's our mission to make the world safer,
therefore we will do our best to provide the best protection techniques against
malware, hackers and sophisticated threats such as these”, comments Costin Raiu, the head of Kaspersky’s Global
Research and Analysis Team (GReAT).
If you have already become a victim
of Pegasus attack, here is some tips what you may do next:
- If you’ve been targeted
try to find a journalist and tell them your story. The thing that eventually
brought down many surveillance companies was bad publicity. Reporters and
journalists writing about abuses and exposing the lies, wrongdoing and all the
evil.
- Change your device — if you were on iOS, try moving to Android for a
while. If you were on Android, move to iOS. This might confuse attackers for
some time; for instance, some threat actors are known to have purchased
exploitation systems that only work on a certain brand of phone and OS.
- Get a secondary device, preferably running
GrapheneOS, for secure comms.
Use a prepaid SIM card in it, or, only connect by Wi-Fi and TOR while in
airplane mode.
- Avoid messengers where you need to provide
your contacts with your phone number. Once an attacker
has your phone number they can easily target you across many different
messengers via this — iMessage, WhatsApp, Signal, Telegram, they are all tied
to your phone number. An interesting new choice here is Session, which
automatically routes your messages through an Onion-style network and doesn’t rely on phone
numbers.
- Try to
get in touch with a security researcher in your area and constantly discuss best practices. Share
artifacts, suspicious messages or logs whenever you think something is odd.
Security is never a single snapshot solution that is 100% proof; think of it
like a stream that flows and you need to adjust your sailing depending on the
speed, currents and obstacles.
Read the full post on how to protect yourself from Pegasus and other
targeted mobile malware on Kaspersky Daily.