Spyware Pegasus

Fedora 35 e Samsung Galaxy A12

Samsung Galaxy A12 Opções do desenvolvedor
Samsung Galaxy A12 Opções do desenvolvedor
Introdução

O NSO Group alega que seu spyware Pegasus é usado apenas para “investigar terrorismo e crime” e “não deixa qualquer vestígio”. Este Relatório de Metodologia Forense mostra que nenhuma dessas afirmações é verdadeira. O Laboratório de Segurança da Anistia Internacional realizou análises forenses aprofundadas de vários dispositivos móveis de defensores de direitos humanos (DDHs) e jornalistas de todo o mundo. Esta pesquisa revelou Vigilância ilegal generalizada, persistente e contínua e abusos de direitos humanos perpetrados usando o spyware Pegasus do NSO Group.

A primeira versão do Pegasus descoberta, capturada por pesquisadores em 2016, infectava os telefones através de uma prática fraudulenta, conhecida por spear-phishing, onde e-mails e mensagens de texto SMS são enviados ostensivamente de um remetente conhecido, ou confiável, para induzir os indivíduos alvo a revelarem suas informações confidenciais clicando num link malicioso.

Posteriormente a capacidade de ataque do Pegasus foi aperfeiçoada passando a infectar os telefones usando os ataques de clique-zero (zero-click), onde não é necessário que a vítima abra um arquivo ou tente acessar algum link. Este ataque se aproveita de uma exploração de dia-zero (zero-day exploit), onde os hackers se aproveitam uma falha de segurança de software para realizar um ataque cibernético.

“Em 2019, o WhatsApp revelou que o software da NSO havia sido usado para enviar malware para mais de 1.400 telefones, explorando uma vulnerabilidade de dia-zero. Simplesmente fazendo uma chamada do WhatsApp para um dispositivo alvo, o código malicioso Pegasus pode ser instalado no telefone, mesmo que o alvo nunca tenha atendido a chamada. Mais recentemente, a NSO começou a explorar vulnerabilidades no software iMessage da Apple, dando acesso backdoor a centenas de milhões de iPhones. A Apple diz que está atualizando continuamente seu software para evitar tais ataques.” The Guardian

Mobile Verification Toolkit (MVT)

O Mobile Verification Toolkit (MVT) é uma coleção de utilitários desenvolvidos para simplificar e automatizar o processo de coleta de rastreamentos forenses úteis para identificar um possível comprometimento de dispositivos Android e iOS. Foi desenvolvido e lançado pelo Laboratório de Segurança Internacional da Anistia Internacional em julho de 2021 no contexto do projeto Pegasus, juntamente com uma metodologia de técnica forense e evidências forenses.

Instalação do MVT no Fedora 35

Dependências no Linux

Em primeiro lugar devem ser instaladas algumas dependências básicas requeridas para construir todas as ferramentas necessárias:

$ sudo dnf install python3 python3-pip libusb sqlite
Última verificação de data de vencimento de metadados: 2:08:15 atrás em qua 19 jan 2022 06:33:21.
O pacote python3-3.10.1-3.fc35.x86_64 já está instalado.
O pacote python3-pip-21.2.3-4.fc35.noarch já está instalado.
O pacote sqlite-3.36.0-3.fc35.x86_64 já está instalado.
Dependências resolvidas.
================================================================================
 Pacote          Arquitetura     Versão                  Repositório       Tam.
================================================================================
Instalando:
 libusb          x86_64          1:0.1.7-6.fc35          updates           29 k

Resumo da transação
================================================================================
Instalar  1 Pacote

Tamanho total do download: 29 k
Tamanho depois de instalado: 61 k
Correto? [s/N]: s

A libusb não é necessária se você pretende usar apenas mvt-ios e não o mvt-android.

Ao se trabalhar com dispositivos Android, deve ser instalado, adicionalmente, o Android SDK Platform Tools. Se você preferir instalar um pacote disponibilizado por sua distribuição de escolha, certifique-se de que a versão seja recente para garantir a compatibilidade com dispositivos Android modernos.

Instalação do Android Studio

O Android Studio foi instalado usando o Snap:

$ sudo snap install android-studio --classic
android-studio 2021.1.1.20 from Snapcrafters installed
$ snap list android-studio
Name            Version      Rev  Tracking       Publisher     Notes
android-studio  2021.1.1.20  118  latest/stable  snapcrafters  classic

Instalação do MVT

$ pip3 install mvt
Defaulting to user installation because normal site-packages is not writeable

Samsung Galaxy A12 Depuração USB

É necessário desbloquear as Opções do Desenvolvedor no Samsung Galaxy A12 para ativar a Depuração USB. Para isso abra o aplicativo Configurações, abra Sobre o telefone, abra Informações de software e clique sete vezes em Número da compilação para ativar as Opções do Desenvolvedor.

Quando o cabo USB for conectado entre o computador e o celular vai ser aberta a janela mostrada abaixo:

Permitir acesso aos dados do telefone
Permitir acesso aos dados do telefone

Você deve clicar em permitir todas as vezes que for mostrada uma janela pedindo permissão, mantenha a tela do celular visível.

Utilização do MVT
$ mvt-android check-adb


        MVT - Mobile Verification Toolkit
                https://mvt.re
                Version: 1.4.3
                Version 1.4.4 is available! Upgrade mvt!


10:00:58 INFO     [mvt.android.cli] Checking Android through adb bridge         
         INFO     [mvt.android.cli] Loaded a total of 0 unique indicators       
         INFO     [mvt.android.modules.adb.chrome_history] Running module       
                  ChromeHistory...                                              
10:00:59 INFO     [mvt.android.modules.adb.chrome_history] Insufficient         
                  privileges for module ChromeHistory: This module is optionally
                  available in case the device is already rooted. Do NOT root   
                  your own device!                                              
         INFO     [mvt.android.modules.adb.sms] Running module SMS...           
         INFO     [mvt.android.modules.adb.sms] Insufficient privileges for     
                  module SMS: This module is optionally available in case the   
                  device is already rooted. Do NOT root your own device!        
         INFO     [mvt.android.modules.adb.whatsapp] Running module Whatsapp... 
         INFO     [mvt.android.modules.adb.whatsapp] Insufficient privileges for
                  module Whatsapp: This module is optionally available in case  
                  the device is already rooted. Do NOT root your own device!    
         INFO     [mvt.android.modules.adb.processes] Running module            
                  Processes...                                                  
         INFO     [mvt.android.modules.adb.processes] Extracted records on a    
                  total of 504 processes                                        
         INFO     [mvt.android.modules.adb.processes] The Processes module does 
                  not support checking for indicators                           
         INFO     [mvt.android.modules.adb.dumpsys_accessibility] Running module
                  DumpsysAccessibility...                                       
         INFO     [mvt.android.modules.adb.dumpsys_accessibility] Found         
                  installed accessibility service "com.samsung.accessibility/.un
                  iversalswitch.UniversalSwitchService"                         
         INFO     [mvt.android.modules.adb.dumpsys_accessibility] Found         
                  installed accessibility service "com.samsung.android.accessibi
                  lity.talkback/com.samsung.android.marvin.talkback.TalkBackServ
                  ice"                                                          
         INFO     [mvt.android.modules.adb.dumpsys_accessibility] Found         
                  installed accessibility service "com.kms.free/com.kaspersky.co
                  mponents.accessibility.KasperskyAccessibility"                
         INFO     [mvt.android.modules.adb.dumpsys_accessibility] The           
                  DumpsysAccessibility module does not support checking for     
                  indicators                                                    
         INFO     [mvt.android.modules.adb.dumpsys_batterystats] Running module 
                  DumpsysBatterystats...                                        
10:01:00 INFO     [mvt.android.modules.adb.dumpsys_batterystats] The            
                  DumpsysBatterystats module does not support checking for      
                  indicators                                                    
         INFO     [mvt.android.modules.adb.dumpsys_procstats] Running module    
                  DumpsysProcstats...                                           
10:01:01 INFO     [mvt.android.modules.adb.dumpsys_procstats] The               
                  DumpsysProcstats module does not support checking for         
                  indicators                                                    
         INFO     [mvt.android.modules.adb.dumpsys_packages] Running module     
                  DumpsysPackages...                                            
10:01:06 INFO     [mvt.android.modules.adb.dumpsys_packages] The DumpsysPackages
                  module does not support checking for indicators               
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Running module    
                  DumpsysReceivers...                                           
10:01:08 INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state: "com.sec.hearingadjust/.Receiver" 
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state:                                   
                  "br.com.santander.way/org.mbte.dialmyapp.app.AppReceiver"     
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state:                                   
                  "org.telegram.messenger/.CallReceiver"                        
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state: "com.kms.free/com.kaspersky.whocal
                  ls.services.IncomingCallReceiver"                             
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state:                                   
                  "com.santander.app/org.mbte.dialmyapp.app.AppReceiver"        
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state:                                   
                  "com.kwai.video/com.kwai.yoda.event.YodaPhoneCallReceiver"    
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  monitoring telephony state: "com.mrnumber.blocker/com.hiya.cli
                  ent.callerid.ui.CallEventReceiver"                            
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  to intercept incoming SMS messages:                           
                  "com.kms.free/com.kavsdk.shared.cellmon.SMSReceiver"          
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  to intercept incoming SMS messages: "com.rsupport.rs.activity.
                  rsupport.aas2/com.rsupport.rs.receiver.SmsEventReceiver"      
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  to intercept incoming SMS messages:                           
                  "org.thoughtcrime.securesms/.service.SmsListener"             
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  to intercept incoming SMS messages: "com.mrnumber.blocker/com.
                  hiya.stingray.receiver.SmsEventReceiver"                      
         INFO     [mvt.android.modules.adb.dumpsys_receivers] Found a receiver  
                  to intercept incoming SMS messages:                           
                  "com.kms.free/com.kms.kmsdaemon.SMSReceiver"                  
         INFO     [mvt.android.modules.adb.dumpsys_receivers] The               
                  DumpsysReceivers module does not support checking for         
                  indicators                                                    
         INFO     [mvt.android.modules.adb.dumpsys_full] Running module         
                  DumpsysFull...                                                
10:01:52 INFO     [mvt.android.modules.adb.dumpsys_full] The DumpsysFull module 
                  does not support checking for indicators                      
         INFO     [mvt.android.modules.adb.packages] Running module Packages... 
10:06:29 INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "net.aljazeera.english" installed by                
                  "com.android.vending" on 2022-01-07 14:30:10                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "org.telegram.messenger" installed by               
                  "com.android.vending" on 2022-01-10 19:47:44                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.euronews.express" installed by                 
                  "com.android.vending" on 2022-01-07 14:17:55                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.shop" installed by                     
                  "com.sec.android.app.samsungapps" on 2022-01-06 15:23:41      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.sree" installed by                     
                  "com.android.vending" on 2022-01-06 15:30:27                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "keepass2android.keepass2android" installed by      
                  "com.android.vending" on 2022-01-06 16:44:43                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.gov.meugovbr" installed by "com.android.vending"
                  on 2022-01-07 15:34:34                                        
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.whatsapp" installed by "com.android.vending" on
                  2022-01-06 15:51:38                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.google.android.apps.authenticator2" installed  
                  by "com.android.vending" on 2022-01-06 16:27:39               
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.com.valemobi.agora" installed by                
                  "com.android.vending" on 2022-01-08 08:39:40                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.knowledgeview.tablet.arabnews" installed by    
                  "com.android.vending" on 2022-01-07 14:43:00                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.sec.android.app.voicenote" installed by        
                  "com.sec.android.app.samsungapps" on 2022-01-06 17:55:21      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.santander.app" installed by                    
                  "com.android.vending" on 2022-01-06 23:09:43                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "bbc.mobile.news.ww" installed by                   
                  "com.android.vending" on 2022-01-07 14:48:14                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.cnn.mobile.android.phone" installed by         
                  "com.android.vending" on 2022-01-18 22:45:07                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.deway.ampla" installed by "com.android.vending"
                  on 2022-01-07 14:55:18                                        
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.cnn.brasil" installed by "com.android.vending" 
                  on 2022-01-07 14:04:52                                        
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.waze" installed by "com.android.vending" on    
                  2022-01-06 17:13:39                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "brain.blow.quest" installed by                     
                  "com.sec.android.app.samsungapps" on 2022-01-06 15:23:09      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "org.thoughtcrime.securesms" installed by           
                  "com.android.vending" on 2022-01-14 18:30:05                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.kms.free" installed by "com.android.vending" on
                  2022-01-07 13:04:20                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.microsoft.office.outlook" installed by         
                  "com.android.vending" on 2022-01-17 22:57:45                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.jus.tse.eleitoral.etitulo" installed by         
                  "com.android.vending" on 2022-01-07 15:07:40                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.rt.mobile.english" installed by                
                  "com.android.vending" on 2022-01-14 06:07:45                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "mnn.Android" installed by "com.android.vending" on 
                  2022-01-13 08:41:28                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.taxis99" installed by "com.android.vending" on 
                  2022-01-11 16:22:44                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.gov.datasus.cnsdigital" installed by            
                  "com.android.vending" on 2022-01-07 15:31:48                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.twitter.android" installed by                  
                  "com.android.vending" on 2022-01-11 16:23:42                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.google.android.apps.docs" installed by         
                  "com.android.vending" on 2022-01-11 16:24:54                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.com.sky.selfcare" installed by                  
                  "com.android.vending" on 2022-01-10 19:47:14                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.globo.g1.app" installed by                     
                  "com.android.vending" on 2022-01-07 14:45:17                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "eu.basicairdata.graziano.gpslogger" installed by   
                  "com.android.vending" on 2022-01-07 15:00:00                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.google.android.videos" installed by            
                  "com.android.vending" on 2022-01-06 15:23:56                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.netflix.mediaclient" installed by              
                  "com.android.vending" on 2022-01-17 22:59:37                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.zhiliaoapp.musically" installed by             
                  "com.sec.android.app.samsungapps" on 2022-01-18 18:00:00      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.google.android.apps.photos" installed by       
                  "com.android.vending" on 2022-01-06 15:24:50                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.spotify.music" installed by                    
                  "com.android.vending" on 2022-01-14 06:12:37                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.thenerdguylulu.e_card" installed by            
                  "com.android.vending" on 2022-01-07 15:46:34                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.sec.android.app.sbrowser" installed by         
                  "com.sec.android.app.samsungapps" on 2022-01-06 18:00:21      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.microsoft.office.officehubrow" installed by    
                  "com.android.vending" on 2022-01-06 15:22:01                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.gov.serpro.cnhe" installed by                   
                  "com.android.vending" on 2022-01-07 15:24:32                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.bloomberg.android.plus" installed by           
                  "com.android.vending" on 2022-01-13 08:39:30                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.bradesco" installed by "com.android.vending" on
                  2022-01-06 16:56:33                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.android.galaxy" installed by "None" on 
                  2008-12-31 13:00:00                                           
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.kwai.video" installed by                       
                  "com.sec.android.app.samsungapps" on 2022-01-06 15:22:04      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.sec.android.app.popupcalculator" installed by  
                  "com.android.vending" on 2022-01-06 15:27:47                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.android.voc" installed by              
                  "com.sec.android.app.samsungapps" on 2022-01-06 18:03:56      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.adobe.reader" installed by                     
                  "com.android.vending" on 2022-01-14 06:13:24                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.android.app.notes.addons" installed by 
                  "None" on 2008-12-31 13:00:00                                 
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.linkedin.android" installed by                 
                  "com.android.vending" on 2022-01-14 06:09:55                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.samsung.android.app.notes" installed by        
                  "com.sec.android.app.samsungapps" on 2022-01-06 18:03:09      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.cnbc.client" installed by "com.android.vending"
                  on 2022-01-07 14:34:56                                        
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.sec.android.easyMover" installed by            
                  "com.sec.android.easyMover.Agent" on 2022-01-06 14:36:25      
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.binance.dev" installed by "com.android.vending"
                  on 2022-01-10 19:45:11                                        
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.vivaldi.browser" installed by                  
                  "com.android.vending" on 2022-01-07 13:11:24                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.com.santander.way" installed by                 
                  "com.android.vending" on 2022-01-10 19:08:28                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "oilprice.android.app" installed by                 
                  "com.android.vending" on 2022-01-07 14:37:09                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "wit.android.bcpBankingApp.millennium" installed by 
                  "com.android.vending" on 2022-01-14 06:09:02                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.rsupport.rs.activity.rsupport.aas2" installed  
                  by "com.sec.android.app.samsungapps" on 2022-01-06 18:06:27   
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.mrnumber.blocker" installed by                 
                  "com.android.vending" on 2022-01-07 13:59:12                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.google.android.apps.youtube.music" installed by
                  "com.android.vending" on 2022-01-07 19:25:59                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "br.gov.rj.rio.iplanrio.servidorrioapp" installed by
                  "com.android.vending" on 2022-01-07 15:03:07                  
         INFO     [mvt.android.modules.adb.packages] Found non-system package   
                  with name "com.idmedia.android.newsportal" installed by       
                  "com.android.vending" on 2022-01-07 14:20:25                  
         INFO     [mvt.android.modules.adb.packages] Extracted at total of 418  
                  installed package names                                       
         INFO     [mvt.android.modules.adb.rootbinaries] Running module         
                  RootBinaries...                                               
10:06:30 INFO     [mvt.android.modules.adb.rootbinaries] The RootBinaries module
                  does not support checking for indicators                      
         INFO     [mvt.android.modules.adb.logcat] Running module Logcat...     
10:06:38 INFO     [mvt.android.modules.adb.logcat] The Logcat module does not   
                  support checking for indicators                               
         INFO     [mvt.android.modules.adb.files] Running module Files...       
10:06:40 INFO     [mvt.android.modules.adb.files] Found 3430 files in primary   
                  Android data directories.                                     
         INFO     [mvt.android.modules.adb.files] Flag --fast was not enabled:  
                  processing full file listing. This may take a while...        
Referências
Leia mais