iOS Pegasus spyware sample request - MVT methods lack a control #321
Comments
|
No sample for you. Modern post-2020 era Pegasus implant builds for iOS purposefully do not feature persistence mechanisms. Many do not persist after even a just a reboot. Hence why things like file hashes are not used as IoCs. This makes current detection approaches used by MVT such as historical process names a far more useful artifact. It’s a feature, not a bug. Please close this as “not planned”. Respectfully, |
|
Cool, and you know this how? MVT is checking for 80 binary processes! You have got to be kidding me....What a massive payload they need to install on a device that they already have root access to. What you are saying is not logical. You already have root access, and then you are installing binaries to mimic legit binaries? and you're linking those binaries how? Magic? So you are suggesting they are modifying a dylib, injecting the dylib to call back to their fake binary, and they're doing all of this without a reboot, without crashing the phone, cleaning up, and then bouncing and saying peace suckers...every single time the phone restarts... Where is the popcorn for this circus because I'm ready for the show. |
|
MVT is a general purpose tool to aid the collection and analysis of forensic information from mobile devices for signs of spyware targeting. Any output from MVT should be reviewed and interpreted by experienced analysts. Any spyware indicators or detections used with MVT are separate to the code itself. |
I am requesting an iOS Pegasus spyware sample to be shared with everyone as there is no control to test against.
Furthermore, there is no logic built into the MVT-Tool or documentation explaining why specific modules are being checked or why certain processes are considered malicious.
Next, there is no information about the success to error rates that can be expected, no list of iOS versions that have been studied, no table of documentation for false positive results that have been identified, and there are no specific conditions that need to be met in order to properly identify a device with your tool.
As I had mentioned before, Enabling Wifi and Disabling Wi-Fi yield different results #319
I am a professional in information security, I am a computer scientist, I am paid for my speciality in forensics investigations, I meet all of the criteria in the MVT-Tool disclaimer, and I cannot find a reproducible methodology describing why the MVT-Tool is functioning as it is.
Everything I am asking for is logical and not unreasonable. I have read your forensics methodology, and there is nothing in the methodology that can be reproduced or validated. The methodology is based on assumptions.
Amnesty has acknowledged many false positives but has never corrected any of the reports or provided a methodology update.
For example this [false positive]
(AmnestyTech/investigations@1c69421) was removed without any reasoning why. That false positive impacted the cases of 2 people Amnesty identified to be infected with Pegasus. Omar Radi and Claude Mangin
After Amnesty found the false positive indicator, what actions were taken regarding the 2 people you had identified to be infected with the removed indicator? Please provide your documentation.
How did your method for identification change?
What did you find wrong with the now removed indicator?
We cannot progress in science without data to show where we have failed and succeeded.
I am open to discussion, please don't close this ticket out because you have personal issues with me, please set those issues aside and let us focus on the science.
Respectfully,
Jonathan Scott
The text was updated successfully, but these errors were encountered: