Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 2,500 mobile phones.

Digital illustration of a winged horse with two horns on its head
Source: Coredesign via Shutterstock

Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought.

Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 2,500 devices from iVerify users who opted in to the checks.

Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices.

"Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports," Matthias Frielingsdorf, Verify co-founder and iOS security researcher, wrote in the post. Each of the infections "represented a device that could have been silently monitored, its data compromised without the owner's knowledge," he wrote.

Related:How to Protect Your Environment From the NTLM Vulnerability

"The discovery supported our thesis about the prevalence of spyware on mobile devices — it was hiding in plain sight, undetected by traditional endpoint security measures."

Pegasus Spyware Reach Underestimated?

The findings also demonstrate that security researchers, in general, may have underestimated the reach of mobile spyware, particularly Pegasus, Rocky Cole, co-founder and COO of iVerify, tells Dark Reading.

Pegasus, developed by NSO Group — an adversary that iVerify tracks as "Rainbow Ronin" — is a particularly nasty piece of spyware that allows the controller to exploit OS vulnerabilities and leverage zero-click attacks to access and extract whatever they want from an exploited mobile device. Attackers can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user's knowledge or interaction.

Pegasus gained initial notoriety in 2021 when security researchers found that it was being used by state-sponsored actors in illegal surveillance against journalists, politicians, human rights advocates, and other persons of interest to government intelligence agencies. Since then, numerous other infections have surfaced that show how governments have wielded the spyware, with journalists in particular in the crosshairs.

Related:US Ban on TP-Link Routers More About Politics Than Exploitation Risk

Now iVerify's discovery suggests that state-sponsored actors not only are using mobile spyware in a narrow way to surveil the most high-profile of targets, but also could be spying on people within typically targeted populations who wouldn’t seem likely to be on their radar, Cole says.

"Previously considered a rare and highly targeted threat, Pegasus was found to be more prevalent and capable of infecting a wider range of devices, not just those belonging to high-risk users," he says.

Moreover, as iVerify’s investigation uncovered multiple Pegasus infections across several iOS versions, some dating back years, it's clear that traditional security measures often fail to detect such threats. This suggests that mobile device users themselves must be included in the detection of malware so they have "the power to understand and defend against threats that were previously invisible," Frielingsdorf wrote.

Hunt Your Own Device Threats

Cole says that best practices for preventing spyware infections before they occur include regularly updating devices to the latest OS as soon as possible, as spyware often exploits unpatched vulnerabilities. And though EDR may not pick up every infection, it can be a useful tool for organizations to use alongside more proactive device-specific threat-hunting to "help detect and respond to threats in real time," he says.

Related:BlackBerry to Sell Cylance to Arctic Wolf

Organizations also should educate employees, Cole adds, especially those in high-risk roles, about the risks and best practices for mobile security as an essential protection against spyware infections.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights