Domain History - False Positive Results

[jonathandata1]

Because MVT-Tool is only IOCs in Safari History based on strings just by visiting the website on safari gives a false positive result.

MVT-Tool delivers 2 different sets of results when presented with the same sample set.

Scenario 1: The iPhone is not connected to network, wifi, or ethernet adapter

Prep

open safari, and for each line item open a new tab, after enter the address press go

1. http://123tramites.com
2. http://infoquiz.net
3. http://statsupplier.com
4. http://redirstats.com
5. http://statsads.co
6. http://nnews.co
7. http://adsmetrics.co
8. take an encrypted backup
9. use mvt to decrypt
10. use mvt to check the backup

Result

MVT-Tool finds all 7 addresses to be positive for Pegasus without ever having an internet connection

Scenario 2: The iPhone is connected to network, wifi, or ethernet adapter

Prep

open safari, and for each line item open a new tab, after enter the address press go

1. http://123tramites.com
2. http://infoquiz.net
3. http://statsupplier.com
4. http://redirstats.com
5. http://statsads.co
6. http://nnews.co
7. http://adsmetrics.co
8. take an encrypted backup
9. use mvt to decrypt
10. use mvt to check the backup

Result

MVT-Tool finds only 6 addresses to be positive for Pegasus. Because statsads.co redirected to 11165151.addotnet.com it was not recognized as a malicious IOC

In Appendix E of the Amnesty Verification report Jordi Sànchez had statsads.co that redirected as well, and when I ran the exact IOCs listed for Jordi in the report, there was no Pegasus detection found in the Safari History because of the redirects.

Jordi Sànchez

• https://statsads.co/SomI5j9B
• https://statsads.co/91EiQzIaP
• https://statsads.co/2B56JyXwZ

Conclusion

MVT-Tool is not using logic to make conclusions of a pegasus infection, it is only looking for strings, and having having an internet connection or not having an internet connection on the device affects the results. This is why MVT-Tool should have documentation showing the scenarios in which false positive results are possible.

A person can manually enter any domain listed as malicious into their browser and MVT-Tool will pick it up as a positive infection when it is not.

[abashinfection]

If there are traces of C2 communication on my device, I want to be alerted.
Whether I've manually inserted those traces or not.

MVT-Tool is flagging those events as suspicious, and they have a disclaimer in their README stating "This is not intended for end-user self-assessment", so no one is blindly using a single suspicious event from MVT-Tool and proclaiming infection.

Now, let's get to the part where MVT-Tool reports differ based on connectivity.
iOS is a very closed OS and researchers are limited in what data they can extract, and even more limited in terms of configuration. It appears that Safari history does not track all redirects for a URL, but it simply logs the end URL. Most likely this behavior can't be configured and no additional data is available.
Because of this, you are suggesting there could be FPs? Why would that be?
It looks to me as if we are dealing with potential FNs rather than FPs.
If a payload uses the redirected URL on a device with connectivity, no malicious event would be logged in Safari history. This is a potential FN, luckily there are many other IOCs provided by MVT-Tool that can be used to determine an infection verdict.

MVT-Tool is not using logic to make conclusions of a pegasus infection

Yes, this has been already told to you multiple times.
Forensic tools are used as supporting tools during analyses. No one is claiming this tool alone will tell you have been infected or not.
It's in the first line of their README:

Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

[ornaeric]

Jonathan, the fact you created this issue and what you are claiming is an issue only proves one thing.

You lack the skills and knowledge to even be discussing the topic. Making ignorant statements and ignorant judgements doesn't help your case. You literally have no idea what you are talking about.