What Is This?
This page is intended ONLY for Android users receiving an official outreach of possible targeting in an incident related to NSO Group’s spyware that took place in Spring 2019. If you did not get such an outreach, this advice is probably not right for you.
If you are looking for general advice on how to be safer online we encourage you to begin with Citizen Lab’s Security Planner, which can help you become safer, as well as identify more advanced online resources for your situation.
What Will I Be Able To Do?
This page suggests steps to increase the safety of your Android phone and online accounts after you have been notified of a possible security issue involving advanced spyware such as NSO Group’s Pegasus.
Keep In Mind
Our suggestions are based on Citizen Lab’s current knowledge of mobile spyware (including Pegasus). However, we cannot guarantee that the following steps will ensure your digital safety. They should be understood as mere guidance and not a replacement for tailored, one-on-one support from a digital security expert.
Being targeted with advanced spyware is also an indication that you may have concerns about your physical safety. You may wish to consult online resources about practical steps that you can take to address your safety.
GETTING STARTED
While being targeted does not necessarily mean that your device was successfully infected, we believe there are certain steps you can take right away to make your device and online accounts safer. This is important if you have faced targeting with NSO Group’s Pegasus spyware, which has been used in a global pattern of abusive targeting of civil society groups, and a recent attack against WhatsApp users.
STEP 1: DE-LINK CLOUD ACCOUNTS (FREE)
According to reports, Pegasus spyware can steal credentials (‘tokens’) from your device, letting an attacker continue to access your online accounts even after your device is no longer infected. For example, the Google account attached to your device could be accessed by an attacker on a continuing basis, letting an attacker read your Gmail messages, or view your photographs.
We believe that you can block some potential unauthorized access to your accounts by logging out of these accounts using the Android phone that you are currently using.
You will then add these accounts back to your phone once you have obtained a replacement device (see Step 2).
STEP 2: REPLACE YOUR DEVICE ($)
Citizen Lab currently believes that an infection with Pegasus spyware can survive a factory reset on some Android phones. However, based on our experience, we do not know the full range of devices for which this applies. Therefore, we recommend replacing your phone if you have been targeted by Pegasus spyware.
Replacing the device that was targeted is the only way to be certain that your Android phone is safe.
Cannot replace your device right now? Getting a new phone is expensive, and that may not be possible for you right now. If you cannot purchase a new phone, you may still benefit from the other steps, but there will be a chance that you are still infected.
Once you have a replacement device, make sure that all of your apps, including WhatsApp, are up to date.
STEP 3: CHANGE YOUR PASSWORDS (FREE)
Once you have obtained a new phone, you should change the passwords for the cloud accounts that were attached to your original phone, as well as any other accounts that you use regularly.
Changing passwords can be frustrating and time consuming, but it is essential to ensure that an attacker cannot continue to access your accounts using a stolen password.
STEP 4: ENHANCE YOUR ONLINE SAFETY (FREE)
You may be at risk from other forms of digital targeting or from spyware like Pegasus in the future. Being targeted means that someone invested time and resources in an effort to access your personal device.
Citizen Lab’s Security Planner is a good basic place to start improving your digital safety. This online tool asks you a few questions about the devices and services that you use and provides basic digital security recommendations.
Because of the serious nature of the digital threats that you may face, we recommend that you also consult advanced security guides.
Ultimately, there is no substitute for one-on-one help from a qualified digital security expert. We encourage you to contact an expert.
If you are a member of civil society (a journalist, human rights defender, activist, academic, etc.), you may find such a person through these emergency support resources. Unfortunately, Citizen Lab does not maintain a list of such experts who provide services to individuals who are not within civil society.
ARE YOU A MEMBER OF CIVIL SOCIETY?
REMINDER: THIS APPLIES ONLY TO INDIVIDUALS WHO RECEIVED OUTREACH THAT THEY HAVE BEEN TARGETED BY ADVANCED SPYWARE.
If you are a member of civil society, we would like to hear from you. Citizen Lab is an academic research lab with a mandate to study digital threats to civil society. Our research into digital threats involving individuals in civil society (human rights defenders, NGO staff, journalists and others) is conducted through human subject research protocols and participants must fit specific criteria and processes to be enrolled in these projects.
If you would like to be considered for enrollment in our research, and think you may fit our criteria for inclusion, you can contact us inquiries@citizenlab.ca.
QUESTIONS AND ANSWERS
WHAT IS PEGASUS?
Pegasus is spyware made by NSO Group. NSO Group, which also goes by the name Q-Cyber, is an Israeli cyber warfare technology firm. Novalpina Capital, a European private equity firm, owns a majority stake in NSO Group.
Technically Speaking: Pegasus is a spyware suite, with multiple delivery vectors. The WhatsApp exploit from May 2019 is one such vector. Others include tricking targets into clicking on a link using social engineering. Not all vectors are publicly known. Once the spyware is implanted it provides the operators with regular, scheduled updates and is designed to avoid excessive bandwidth consumption.
AM I INFECTED? WAS I INFECTED?
It is very difficult to tell if a phone was or is infected with sophisticated spyware such as Pegasus. If you want to obtain a forensic analysis of your device, you may wish to engage professional experts to assist you. However, you may still not receive a conclusive answer.
Technically Speaking: Techniques, such as auditing network traffic for suspicious connections over several days, may help establish whether a device is currently infected and “phoning home” (i.e. communicating with the server). However, such techniques are not conclusive. Pegasus has a range of anti-forensic and self-destruct features that may be triggered by simple forensic techniques. There is no agreed upon list of forensic indicators for a Pegasus infection.
CAN CITIZEN LAB HELP ME?
Providing technical support, advice, or recommendations to individuals not within civil society is generally outside of Citizen Lab’s mandate. You may wish to consult these emergency support resources. However, you may be eligible to participate in Citizen Lab research into targeted digital threats (see: Are You A Member of Civil Society).
ABOUT THE CITIZEN LAB
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
We use a “mixed methods” approach to research, combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.
More information about Citizen Lab is available here.