I ran this tool and found a trace that I was infected (malware detected in CrashReporter.plist). Any clue what I should be doing, if anything, to address this?
Reach out to Amnesty Tech and/or Citizen Lab for help establishing whether this is a real infection or a false positive.
If it's real: Adjust your behavior to account for the fact that once you know you're a target, there is no device on the market and no practical measures you can use to maintain safety. Assume everything you do on or near a computer used by you or a close contact is being monitored. The level of effort needed to maintain strong security in the context of being a target is astronomically higher than any individual can deal with.
How about use your phone as only a data modem and do everything on a chrome os device, which have no known malware. Just don't install chrome extensions and you are safe. Also avoid installing apps on your phone
This is basically what I wish I had, except back in reality there's no Chrome device that's the size of my cell phone. There are some with cellular modems.
Chrome OS is probably the most secure system to use from an exploit perspective.
Just never install an Android app on it (that feature doesn't have the same guarantees as the rest of the system), and preferably use a guest account on it (that's how they run it in security competitions)
You basically have to break four layers to exploit that. You have to break the web renderer, then out of the browser sandbox, then you need to exploit the kernel to be able to write outside the (non persistent) guest account storage, then you need to exploit the firmware/secure boot chain so secure boot doesn't detect your modifications to the filesystem when the system next boots.
Chrome OS is probably the OS that leaks the most personal info and behavior of all OS combined. It is inexcusable to subject children to it in my opinion. Advertisers know how to groom.
Store your files in local files, running on their Linux "crostini". Apple and android have hundreds, probably thousands of documented attacks, plus known companies attacking them with rats and various spyware. There's an article a day. Apple took apps off their app store to satisfy the Chinese govt and hurt Hong Kong democratic resistance. Google has paid hackers for various attempts to break into chrome os, most of them were really chrome attacks but the signed os images have generally brought safety. Linux even has many known su root attacks plus malware and supply chain attacks.
I'm no expert, but if you ask me, I would completely erase the phone, upgrade it via DFU, and start fresh. After setting it up again, run another backup and rerun the tool to doublecheck. That or ditch the phone
What’s the best procedure for getting data off a compromised iPhone before wiping? Plugging it into other devices via usb or backing up to iCloud seems sketchy to me but maybe I’m overly paranoid.
You've never plugged your phone into your computer before? If so, I doubt it could cause more harm to do it again unless you haven't done it since your device was infected. You're just mentally aware of it now, but how long has it been there and how many devices have you plugged your phone into since then, even just to charge? If you never plug your phone into another device, it's moot, but I suspect most people do at sometime or another. "Hey, can I plug my phone in real quick to charge a bit" type stuff. Airdrop is good for quick, small files, but I'm not going to be transferring multiple gigabytes of 4k video via wifi speeds that way.
Thanks. Wasn’t sure how airdrop worked so wasn’t sure if connecting a compromised device that way was a concern. Unfortunately there is no info out there because the official line is “all apple devices are secure don’t worry!”
"At around the same time the file com.apple.CrashReporter.plist file was written in /private/var/root/Library/Preferences/, likely to disable reporting of crash logs back to Apple."
This is a very good question and one to check - merely having crash logs disabled (at least for an HN audience) isn't a high information signal.
I've got crash logs and as much analytics and telemetry disabled in a custom provisioning profile just to save having to navigate through menus to turn everything off...
Would need to test this on one of those devices to see if there's a false positive as a result though. But it's possible this is a false alarm if it's just checking for existence of this file. Has anyone checked through the logic the tester uses?
You'd likely need to do several things, but one mitigation is to set up a network-wide firewall to block everything except IPs and domains you explicitly add to allowlist, and only connect your devices through the firewall.
For iOS, I don't believe a capable on-device firewall exists; but even if it did, NSO likely may have compromised it too.
Also: If it amounts to unlawful tapping where you live [0], you may want to consider a legal recourse (like signing up for a class-action?).
I don't believe there are proper application level firewalls. You can however (at least if the entire OS isn't compromised at the time of the network requests) get something which is better than nothing through the private DNS API.
If you configure your own private DNS server over DNS-over-HTTPS, and have your own logging on it, you can review your DNS logs across any devices configured to use it, rapidly.
While keeping a log of your own DNS queries might be a risk for some threat models, if you aren't doing this, chances are you were sending your DNS traffic in the clear to your ISP or mobile operator (or into a VPN provider of questionable trust). You probably aren't a huge amount more exposed by logging it for yourself.
This let me check for any of the IOC domains given in the write-up. While no doubt there will be attacks which could override the provisioning profile that forces this DNS to be used, it would still need to get into the system without making a query that's part of the IOCs. That limits attack vectors a fair bit - the payloads here seemed to do a fair bit of network-based fetching of subsequent payloads. The hostnames of these requests should be logged on your DNS and enable you to rapidly confirm if exposed.
As a bonus you can do host level ad blocking via this DNS server, which should definitely be the minimum you do if you're concerned about skilled attacker threat models - code execution in the browser via a delivered ad isn't something you want to make easy!
> If you configure your own private DNS server over DNS-over-HTTPS, and have your own logging on it, you can review your DNS logs across any devices configured to use it, rapidly.
Pegasus can always DoH its DNS queries to a server of its choosing bypassing any and all network-wide / os-wide DNS settings. Granted IoCs can be set to flag such behaviour. Besides, DNS and ICMP can be additionally be used to siphon off data too.
When used carefully, IP firewalls make for a good defence.
> ...if you're concerned about skilled attacker threat models - code execution in the browser via a delivered ad isn't something you want to make easy!
True. If NSO group is in your threat-model, it definitely warrants extreme paranoia and caution.
Good point - perhaps didn't make the limitations clear enough though - this would only help if the early payload gets delivered through a request made to a remote server (which inherently goes through default system DNS).
That's a fairly common compromise model though in my view - a message might contain a URL, and your phone might locally do a fetch of it to prepare a pretty preview, and that might try to exploit some weakness in the browser engine or whatever.
Given this was delivered via iMessage you're right - once they have code execution, the attacker can evade your DNS. If they can't get enough code in through their initial method to get their own DNS going, they might send a dropper which then pulls more code in from elsewhere, and that may give you an IOC to detect from that first query. If they can front their content on a popular domain though, this won't help.
Definitely favour network level protections before doing this, but if you just want the ability to get a view of your own DNS traffic from your device when it moves across WiFi and mobile data, this will give you a starting point.
If it's real: Adjust your behavior to account for the fact that once you know you're a target, there is no device on the market and no practical measures you can use to maintain safety. Assume everything you do on or near a computer used by you or a close contact is being monitored. The level of effort needed to maintain strong security in the context of being a target is astronomically higher than any individual can deal with.