Pegasus spyware infections found on several private sector phones

New findings from the mobile device security company iVerify show that powerful zero-click spyware is more widely used than has been previously understood and is impacting business executives in addition to members of civil society.

Pegasus spyware was detected on 11 of 18,000 unique devices iVerify tested in the month of December alone, the firm announced Wednesday. 

iVerify had previously said in December that it found Pegasus in seven phones out of 3,000 submitted for testing after it first began offering diagnostic scans in May. News reports about those detections led to broader use of iVerify’s threat hunting app, the company said, yielding a more mainstream population of subjects. 

The latest victims described by the company all work in private industry — including in real estate, logistics and finance — except for one who is a European government official, iVerify said. Victims who are willing to reveal their locations are from Switzerland, Poland, Bahrain, Spain, the Czech Republic and Armenia.

Pegasus is manufactured by the Israeli company NSO Group, which has been on the defensive for years as its spyware has shown up in civil society phones despite the company’s assertions that it only sells its product to governments targeting criminals and terrorists. Zero-click spyware is installed with no direct interaction with a device’s owner.

The iVerify app costs $1 to download and gives users the ability to scan their phones for advanced commercial spyware one time each month. Device owners follow a few simple steps to create a diagnostic file that iVerify assesses in a matter of hours.

The company’s scans look for malware signatures and rely in part on machine learning to find hints of spyware infection and anomalies in devices.

The new confirmed detections found known variants of Pegasus dating from 2021-2023, according to iVerify. Many of the victims were attacked with multiple variants. Some were spied on for years, iVerify said.

iVerify is still researching a number of additional cases where forensic traces suggest potential attacks, the company said.

The fact that business executives are being targeted with Pegasus adds a new dimension to the spyware crisis. These executives have access to secret corporate plans, financial data and speak regularly with other influential private sector leaders doing sensitive work out of the public eye, including on deals that can move financial markets.

To date, most publicly known Pegasus infections have affected journalists, human rights activists, politicians and others in civil society.

“The world remains totally unprepared to deal with this from a security perspective,” iVerify cofounder Rocky Cole, who is a former National Security Agency analyst, said in an interview. “This stuff is way more prevalent than people think.”

Only half of the individuals whose phones were found with Pegasus infections in the most recent scans had received threat notifications from Apple, Cole said.

The company only reported “true positive” Pegasus detections, Cole said, and did not include hits for users whose identities it could not verify through independent outreach.

iVerify tests for additional types of spyware including products from Paragon (Graphite), QuaDream (Reign) and Intellexa (Predator), but the new study only includes results for phones infected with Pegasus, Cole said.