Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.
The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.
As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.
Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).
Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Apple’s processes were not sufficient to detect malicious code in the case of this threat.
So, with the rise of mobile threats such as Pegasus Project and Sour Mint, how should organisations defend against such threats?
For a long time, the consensus among many was that Mobile Device Management (MDM) solutions were adequate mobile fleet device protection since widely used mobile operating systems such as Apple iOS sandboxed applications. However, the development of Sour Mint and Pegasus Project demonstrate that simply securing the mobile fleet through MDM is insufficient since malicious code can potentially exist in approved sanctioned applications in application stores and zero-day vulnerabilities exist in popular mobile operating systems. Organisations that are serious about advanced threats need to go beyond MDM to prevent devices from being compromised and data from being exfiltrated.
The security world’s solutions to such threats are Mobile Threat Defence (MTD). Such solutions aim to prevent and detect advanced threats, such as malware, on iOS and Android devices. Gartner states that large-scale adoption of such solutions continues to be concentrated around highly regulated and high security sectors, and that organisations continue to primarily derive value from MTD solutions from an app-vetting and device vulnerability management.
From a security reporting perspective, there is a lot of value in such hygiene activity. However, neither app vetting nor vulnerability management (i.e. detecting and remediating known vulnerabilities) would be effective in blocking attacks such as Pegasus Project and Sour Mint.
Ultimately, the deployment of MTD solutions to block advanced threats comes back to the risk profile and cyber maturity within a given organisation. MTD is a control that would generally be deployed within organisations with a higher maturity level, so it’s important to get the basics right with app vetting and device vulnerability first before attempting to detect advanced threats.
For most organisations, the likelihood of being compromised by an advanced threat is low. However, those with information assets with a significant value should consider the use of MTD because where assets are of value, increased likelihood is sure to exist.
Emerging use cases envisage MTD as a component of zero-trust network access (ZTNA) architecture and of an extended detection and response (XDR) system for detection and response, which can serve as a pilot for unified endpoint security. This is in addition to the use of MTD for mobile phishing protection.
Contributed by Neil Lappage, Public Sector Solutions Lead at ITC Secure, Member of ISACA Emerging Technology Working Group