Getting Pegasus (NSO Group) false positives

2 min readFeb 24, 2022

Introduction

In July 2021 Amnesty International Security Lab published Mobile Verification ToolKit (MVT). This toolkit looks for indicators of compromise (IOC) in iOS and Android devices. It automates the process of gathering forensic traces of Pegasus malware.

Tool

To test the reliability of the toolkit, we tried to get a false positive by tampering a backup. This backup should not be rejected by iOS and could be restored.

It worked and the device is incorrectly detected as infected by Pegasus. It also works with encrypted backups. In fact, in encrypted backups more IOCs could be faked.

Technical details

MVT looks for the following evidences in the backup

Domains from a list in the sms content.
Domains from a list in the browsers (Chrome, Firefox and Safari) history.
Modified processes in the process list.
New files in the filesystem.
Modified data usage in processes data usage database.

It also shows a timeline with the suspicious events detected in the device.

The tool can inject the following false evidences: sms with blacklisted domains, suspicious links in browser history, modified data usage, new files in the filesystem and modified processes in process list.

The modified backup can be restored on the iOS device properly. In the device the suspicious traces are in place (sms, link in browser history, etc.) and it seems as it was infected or targeted by Pegasus.

Demo

The following video shows how the tool works.

In the timeline of the simulated attack we placed a sms with a suspicious domain and the same domain is placed in the browser history. It also creates a modified process with a timestamp newer than the previous evidences.

With all of the evidences it looks like that the owner of the device received a sms with a link, then browsed it. Finally a process is modified in the system (simulating the device was infected)