{"id":43453,"date":"2022-02-02T06:58:31","date_gmt":"2022-02-02T11:58:31","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=43453"},"modified":"2025-07-18T11:41:29","modified_gmt":"2025-07-18T15:41:29","slug":"how-to-protect-from-pegasus-spyware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/how-to-protect-from-pegasus-spyware\/43453\/","title":{"rendered":"Staying safe from Pegasus, Chrysaor and other APT mobile malware"},"content":{"rendered":"

Possibly the biggest story of 2021 \u2014 an investigation by the Guardian and 16 other media organizations, published in July \u2014 suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. Pegasus is a so-called \u201clegal surveillance software\u201d developed by the Israeli company NSO. The report, called the Pegasus Project<\/a>, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero-days.<\/p>\n

Based on forensic analysis of numerous mobile devices, Amnesty International\u2019s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders and many other activists, human rights advocates, dissidents and opposition figures.<\/p>\n

Later in July, representatives from the Israeli government visited the offices of NSO<\/a> as part of an investigation into the claims. In October, India\u2019s Supreme Court commissioned a technical committee to investigate the use of Pegasus<\/a> to spy on its citizens. Apple announced, in November, that it was taking legal action against NSO Group<\/a> for developing software that targets its users with \u201cmalicious malware and spyware.\u201d Last but not least, in December, Reuters published that US State Department phones were hacked<\/a> with the NSO Pegasus malware, as alerted by Apple.<\/p>\n

Over the past few months I have received a lot of questions from concerned users worldwide on how to protect their mobile devices from Pegasus and other similar tools and malware. We are trying to address this in the current article, with the observation that no list of defence techniques can ever be exhaustive. Additionally, as attackers change their modus operandi, protection techniques should also be adapted.<\/p>\n

How to stay safe from Pegasus and other advanced mobile spyware<\/h2>\n

First of all, we should start by saying that Pegasus is a toolkit sold to nation states at relatively high prices<\/strong>. The cost of a full deployment may easily reach millions of USD. Similarly, other APT mobile malware may be deployed through zero-click 0-day exploits. These are extremely expensive \u2014 as an example, Zerodium, an exploit brokerage firm pays up to $2.5 million for an Android zero-click infection chain with persistence:<\/p>\n

\"In<\/a><\/p>\n

From the start, this draws an important conclusion \u2014 nation state sponsored cyberespionage is a vastly resourceful endeavor. When a threat actor can afford to spend millions, potentially tens of millions or even hundreds of millions of USD on their offensive programs, it is very unlikely that a target will be able to avoid getting infected. To put this in simpler words, if you are targeted by such an actor, it\u2019s not a question of \u201cwhether you can get infected,\u201d it\u2019s actually just a matter of time and resources before you get infected<\/strong>.<\/p>\n

Now, for the good news \u2014 exploit development and offensive cyberwarfare are often more of an art rather than an exact science. Exploits need to be tuned for specific OS versions and hardware and can be easily thwarted by new OS releases, new mitigation techniques or even small things such as random events.<\/p>\n

With that in mind, infection and targeting is also a question of cost and making things more difficult for the attackers. Although we may not always be able to prevent the successful exploitation and infection of the mobile device, we can try to make it as hard as possible for the attackers.<\/p>\n

How do we do this in practice? Here\u2019s a simple checklist.<\/p>\n

How to protect from advanced spyware on iOS<\/h3>\n

Reboot daily.<\/strong> According to research from Amnesty International and Citizen Lab, the Pegasus infection chain often relies on zero-click 0-days with no persistence, so regular reboot helps clean the device. If the device is rebooted daily, the attackers will have to re-infect it over and over again. In time, this increases the chances of detection; a crash might happen or artifacts could be logged that give away the stealthy nature of the infection. Actually, this is not just theory, it\u2019s practice \u2014 we analyzed one case in which a mobile device was targeted through a zero-click exploit (likely FORCEDENTRY). The device owner rebooted their device regularly and did so in the next 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots.<\/p>\n

NoReboot: A fake restart to gain a foothold in the system<\/a><\/p><\/blockquote>\n