{ "id": "fce9166b-1b0a-4af0-88dc-0b9a92699770", "created_at": "2026-04-06T00:12:54.356619Z", "updated_at": "2026-04-10T03:22:13.468581Z", "deleted_at": null, "sha1_hash": "8bc7ef665e01912bf0657e45525ef02acc2d87dd", "title": "iVerify Mobile Threat Investigation Uncovers New Pegasus Samples", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60884, "plain_text": "iVerify Mobile Threat Investigation Uncovers New Pegasus\r\nSamples\r\nPublished: 2024-12-04 · Archived: 2026-04-05 14:54:20 UTC\r\nFor years, our understanding of mobile device threats was built on a dangerously narrow foundation. Mobile\r\nmalware investigations were limited to a microscopic sample of devices – typically those belonging to high-risk\r\ntargets like journalists, political activists, and government officials. These early investigations were critical to\r\nhelping the world understand a new wave of capability, but their limited nature still leaves a massive blind spot to\r\nunderstanding the scope of mobile device compromise. \r\nImagine trying to understand an entire ocean by examining a single teaspoon of water. That was the state of\r\nmobile device security research. Investigations were expensive, time-consuming, and accessible only to a\r\nprivileged few with specialized forensic skills and significant resources. Each study might involve just a handful\r\nof devices, often pre-selected because they were already suspected of being compromised.\r\nThe result? A fundamentally skewed perception of mobile device security. Spyware like Pegasus was treated as a\r\nrare, targeted threat – something that might impact a member of civil society, a high-level executive, or a political\r\nrepresentative, but surely not an average business professional or everyday smartphone user. We told ourselves\r\ncomfortable stories about the rarity of these threats without ever truly looking.\r\nOur approach at iVerify was simple but revolutionary: What if we could democratize mobile threat hunting? What\r\nif we could allow every smartphone user the ability to conduct a professional-grade security scan in just five\r\nminutes?\r\nIn May 2024, we did exactly that. \r\niVerify launched its Mobile Threat Hunting feature, conducting an investigation that would reveal critical insights\r\ninto the current mobile device security landscape. Our initial investigation consisted of 2,500 self-scanned devices\r\nfrom our user base and resulted in new detections of the now infamous Pegasus mobile spyware.\r\nDemocratizing Mobile Threat Detection: An Unexpected Journey\r\nWhen we launched our Mobile Threat Hunting feature we had no idea we were about to challenge everything the\r\ntech world thought it knew about mobile security. We created a solution that put powerful threat detection directly\r\ninto users' hands – a full mobile threat hunt scan completed in just five minutes, right on their smartphone.\r\nWhat happened next was nothing short of remarkable. As part of the feature launch, we gave our users the option\r\nto conduct a one-time threat hunt of their device via our iVerify application. To our surprise, without a single\r\nadvertisement, 2,500 of our users jumped at the chance to scan their devices. (Note: If you are a current iVerify\r\napp user, you can still complete this threat hunt. If not, download the app today and scan your device). The results\r\nof those scans validated what we already assumed: if you scan for it, you will find it. We uncovered seven\r\nhttps://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples\r\nPage 1 of 4\n\nPegasus infections – a number that might seem small, but represents a massive red flag in the world of\r\nmobile security.\r\nThese weren't just recent infections. Our analysis revealed a complex timeline of compromise: one exploit from\r\nlate 2023 on iOS 16.6, another potential Pegasus infection in November 2022 on iOS 15, and five older infections\r\ndating back to 2021 and 2022 across iOS 14 and 15. Each of these represented a device that could have been\r\nsilently monitored, its data compromised without the owner's knowledge.\r\nThe discovery supported our thesis about the prevalence of spyware on mobile devices –  it was hiding in plain\r\nsight, undetected by traditional endpoint security measures.\r\nOur investigation detected 2.5 infected devices per 1,000 scans – a rate significantly higher than any previously\r\npublished reports. However, it's crucial to understand the context of this data:\r\nTargeted Scanning: These 2,500 devices represent populations most likely to be targeted by advanced\r\nspyware\r\nNot a Global Representation: This sample is not indicative of iVerify’s entire device population\r\nHigh-Risk Focus: Devices belonged to journalists, government officials, and corporate executives. \r\nThe findings revealed a critical truth: we can only understand the real scope of mobile threats by looking closely.\r\nBy democratizing malware detection, we're not just protecting devices – we're shining a light into the darkest\r\ncorners of mobile security, giving users the power to understand and defend against threats that were previously\r\ninvisible.\r\nThis wasn't just a technical achievement. It was a fundamental shift in how we approach mobile security – putting\r\npower back into the hands of users, one five-minute scan at a time. \r\nUnderstanding Pegasus: A Sophisticated Surveillance Tool\r\nDeveloped by NSO Group, or Rainbow Ronin, as referred to by the iVerify team, Pegasus represents the pinnacle\r\nof invasive spyware technology:\r\nComplete Device Control: Access to messages, emails, call logs, photos\r\nZero-Click Attacks: Infection without user interaction\r\nOperating System Vulnerabilities: Exploits in iOS and Android\r\niVerify Research Discoveries\r\nOur May 2024 investigation uncovered multiple Pegasus variants:\r\n5 unique malware types across iOS and Android\r\nForensic artifacts detected in:\r\nDiagnostic data\r\nhttps://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples\r\nPage 2 of 4\n\nShutdown logs\r\nCrash logs \r\nI will be presenting a deep dive into the Pegasus sample this Friday at OBTS v7.0, if you are not attending in\r\nperson, the session will be live streamed. I will also publish a technical blog post in the coming weeks dissecting\r\nthe sample and sharing it with industry. \r\nWhy Mobile Threat Hunting Matters\r\nTraditional security models fail to capture the nuanced threats facing mobile devices. In the past, Pegasus\r\ndetections have been rare due to a lack of effective detection solutions, but with improved detection and\r\nremediation methods, we believe there is more compromise than is currently understood. \r\nPowers said it best “You can’t see what you don’t understand. But what you think you already understand, you’ll\r\nfail to notice.” As an industry, we believe that mobile device security is good enough, but if we took the moment\r\nto look at the devices we would likely realize that the threat is far worse than we thought. \r\nThe good news, we have built the capability to do this at scale and in a privacy preserving way. Our investigations\r\nreveal a critical truth: we cannot understand the scope of mobile threats until we look closely. iVerify is committed\r\nto bringing these hidden dangers into the light, protecting individuals and organizations in an increasingly\r\ncomplex digital landscape. \r\niVerify offers an advanced mobile EDR solution that combines threat detection and mobile forensics with\r\nautomated response and remediation for enterprise-level protection against sophisticated threats, including mobile\r\nmalware, unpatched vulnerabilities, smishing, and credential theft, ensuring maximum privacy and security. Take\r\ncontrol of your mobile security. Request a demo to experience our advanced capability firsthand. \r\niVerify also offers special protection at https://iverify.org/ for journalists and civil society. \r\nA Note: iVerify’s Adversary Naming Conventions\r\niVerify has taken the important step of naming several spyware adversaries we are tracking, addressing a gap in\r\nadversary naming that exists today. The NSO Group is referred to by iVerify’s research team as Rainbow Ronin. \r\nWhen naming, we utilized the traditional threat naming conventions and methodology. We strive to\r\npsychologically ensure that adversaries do not appear to be superhuman and, therefore, beatable. We have chosen\r\nRonin, a samurai who had no lord or master, to depict surveillanceware. The comparison is apt as they are a\r\ncombination of excellent coders and will sell to just about anyone with enough money even though they claim to\r\nonly sell to nation-states or law enforcement agencies. In keeping with the psychological aspect of naming, we\r\nmade the decision to mix Ronin with the soft side of a children’s cartoon character (image ponies, rainbows and\r\nbutterflies). In this spirit, we are naming the NSO Group, Rainbow Ronin to help personify the threat, enhance the\r\nability to conceptualize the risks in the threat landscape and understand the attack methods.\r\nTake Action: Protect Your Mobile Ecosystem\r\nhttps://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples\r\nPage 3 of 4\n\nSource: https://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples\r\nhttps://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples" ], "report_names": [ "iverify-mobile-threat-investigation-uncovers-new-pegasus-samples" ], "threat_actors": [], "ts_created_at": 1775434374, "ts_updated_at": 1775791333, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8bc7ef665e01912bf0657e45525ef02acc2d87dd.pdf", "text": "https://archive.orkl.eu/8bc7ef665e01912bf0657e45525ef02acc2d87dd.txt", "img": "https://archive.orkl.eu/8bc7ef665e01912bf0657e45525ef02acc2d87dd.jpg" } }