An iPhone with a thematic binary wallpaper.
Pegasus may have been more widely used than first believed, after an iPhone app used to detect infestations uncovered multiple undiscovered instances of the spyware.
Pegasus, created by NSO Group, is known to be spyware used by governments and security agencies around the world. While the spyware has previously been discovered on devices owned and used by prominent political figures, people of interest to governments, and journalists, it was probably more widely used than anyone expected.
In May 2024, iVerify released a $1 app for people to scan their iPhones for any signs of compromise. On Wednesday, iVerify said that, of the approximately 3,000 people who downloaded and used the app, there were seven verifiable detections of Pegasus.
The security outfit said this works out to be about 2.5 infections per 1,000 phones scanned, or a 0.25% infection rate. These constituted “true positive Pegasus detections” that could be definitively be proven, and in instances where the user’s identity was verified.
The study openly admits that the number may be skewed towards “highly-targeted individuals or people who already thought their device might be compromised.” After publishing an initial report in December on its findings, it was then given a second opportunity and a wider audience.
Approximately 18,000 more downloads of the app took place following that report, with 11 new cases detected in December alone.
The second wave, which included a larger and more generalized audience than the first, brought the global incidence rate down to 1.5 per 1,000 scans. At the same time, the group believes the larger sample size increases its confidence that the 1.5 infection figure is “closer to the true incidence rate.”
It is inferred by this second group that mobile compromises can extend beyond high-value targets to “impact a broad cross-section of society.” The new detections attacked users in government, finance, logistics, and real estate industries, with some attacked over a number of years with multiple variants used.
While the underlying tone of the report is that more people should be trying the $1 scanning app, it does at least offer some important data points to consider.
Threat Notification failures
Apple has been proactive in trying to help protect those who have potentially been hit by a Pegasus installation on their device. However, the report adds that it’s not been a total success for the company.
It claims that, in about half the new detections, the targets did not receive Threat Notifications from Apple at all. In these cases, the users would not have been aware of any device compromise at all, the report points out.
When Apple detects some form of surveillance attack has been made against iPhone users, it does try to send out notifications to those affected by it. Occurring since 2021, this has led to regular waves of alerts to people around the world, urging for them to take the attack warning seriously.
While Apple doesn’t typically attribute the attacks to an organization or a government, that hasn’t stopped some from fighting Apple’s efforts.
For example, in December 2023, Apple was targeted by the Indian government for alerting independent journalists and opposition politicians of possible attacks from government hackers. In response to the notifications, a probe was made into Apple’s threat detection algorithms and device security, rather than addressing the hacking concerns.
The latest report does prove that Apple’s Threat Notification system does work, but there’s still a lot of room for improvement when it comes to detecting and acting on attacks.
