Amnesty International has released a toolkit to help people find out if their phone was secretly monitored by Pegasus, the military-grade spyware that targeted human rights activists, journalists, and lawyers around the world.
The software scans devices for the small clues that are left behind if a phone is infected by the Pegasus spyware.
A leaked list of 50,000 phone numbers was obtained by journalism non-profit Forbidden Stories and Amnesty before being shared with the media.
The spyware, built by Israeli firm NSO Group, can be used to record calls, copy and send messages or even film people via phone cameras. The spyware can and has been used to target both Apple iOS and Android devices.
NSO Group denied “false claims” made in the report, as did the governments of Hungary, Morocco, India, and Rwanda that have allegedly used the technology.
Early versions of the software required targets to click malicious links, giving unauthorised persons access to the victim’s private data, including passwords, calls, texts and emails, but experts believe the software has advanced so that targets do not have to click any link to have the spyware installed.
(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
— Bill Marczak (@billmarczak) July 18, 2021
Amnesty’s researcher toolkit, the Mobile Verification Toolkit (MVT), works on both iOS and Android devices to help users find out if they have been targeted. It uses a device backup and searches it for any indicators of compromise that would be used to deliver Pegasus, such as domain names used in NSO Group infrastructure.
If an iPhone backup is encrypted, the MVT can be used to decrypt it without having to make another copy.
The toolkit works using the command line, requiring basic knowledge on how to navigate the terminal. TechCrunch said it took approximately 10 minutes to have the tool operational.
When it is started, the toolkit scans a backup of the phone for any evidence that it has been hacked. It takes a minute or two to do so, and creates a number of files that show the results of the scan – if the phone is potentially compromised, those files will say so.
While NSO Group has denied the report, Amnesty International Security Lab said its forensic analyses found results that were “consistent with past analyses of journalists targeted through NSO’s spyware, including the dozens of journalists allegedly hacked in the UAE and Saudi Arabia and identified by Citizen Lab in December of last year”.
Claudio Guarnieri, director of Amnesty International’s Security Lab, said: “There are a bunch of different pieces, essentially, and they all fit together very well. There’s no doubt in my mind that what we’re looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”