Spyware Pegasus
Fedora 35 e Samsung Galaxy A12
Introdução
O NSO Group alega que seu spyware Pegasus é usado apenas para “investigar terrorismo e crime” e “não deixa qualquer vestígio”. Este Relatório de Metodologia Forense mostra que nenhuma dessas afirmações é verdadeira. O Laboratório de Segurança da Anistia Internacional realizou análises forenses aprofundadas de vários dispositivos móveis de defensores de direitos humanos (DDHs) e jornalistas de todo o mundo. Esta pesquisa revelou Vigilância ilegal generalizada, persistente e contínua e abusos de direitos humanos perpetrados usando o spyware Pegasus do NSO Group.
A primeira versão do Pegasus descoberta, capturada por pesquisadores em 2016, infectava os telefones através de uma prática fraudulenta, conhecida por spear-phishing, onde e-mails e mensagens de texto SMS são enviados ostensivamente de um remetente conhecido, ou confiável, para induzir os indivíduos alvo a revelarem suas informações confidenciais clicando num link malicioso.
Posteriormente a capacidade de ataque do Pegasus foi aperfeiçoada passando a infectar os telefones usando os ataques de clique-zero (zero-click), onde não é necessário que a vítima abra um arquivo ou tente acessar algum link. Este ataque se aproveita de uma exploração de dia-zero (zero-day exploit), onde os hackers se aproveitam uma falha de segurança de software para realizar um ataque cibernético.
“Em 2019, o WhatsApp revelou que o software da NSO havia sido usado para enviar malware para mais de 1.400 telefones, explorando uma vulnerabilidade de dia-zero. Simplesmente fazendo uma chamada do WhatsApp para um dispositivo alvo, o código malicioso Pegasus pode ser instalado no telefone, mesmo que o alvo nunca tenha atendido a chamada. Mais recentemente, a NSO começou a explorar vulnerabilidades no software iMessage da Apple, dando acesso backdoor a centenas de milhões de iPhones. A Apple diz que está atualizando continuamente seu software para evitar tais ataques.” The Guardian
Mobile Verification Toolkit (MVT)
O Mobile Verification Toolkit (MVT) é uma coleção de utilitários desenvolvidos para simplificar e automatizar o processo de coleta de rastreamentos forenses úteis para identificar um possível comprometimento de dispositivos Android e iOS. Foi desenvolvido e lançado pelo Laboratório de Segurança Internacional da Anistia Internacional em julho de 2021 no contexto do projeto Pegasus, juntamente com uma metodologia de técnica forense e evidências forenses.
Instalação do MVT no Fedora 35
Dependências no Linux
Em primeiro lugar devem ser instaladas algumas dependências básicas requeridas para construir todas as ferramentas necessárias:
$ sudo dnf install python3 python3-pip libusb sqlite
Última verificação de data de vencimento de metadados: 2:08:15 atrás em qua 19 jan 2022 06:33:21.
O pacote python3-3.10.1-3.fc35.x86_64 já está instalado.
O pacote python3-pip-21.2.3-4.fc35.noarch já está instalado.
O pacote sqlite-3.36.0-3.fc35.x86_64 já está instalado.
Dependências resolvidas.
================================================================================
Pacote Arquitetura Versão Repositório Tam.
================================================================================
Instalando:
libusb x86_64 1:0.1.7-6.fc35 updates 29 k
Resumo da transação
================================================================================
Instalar 1 Pacote
Tamanho total do download: 29 k
Tamanho depois de instalado: 61 k
Correto? [s/N]: s
A libusb não é necessária se você pretende usar apenas mvt-ios e não o mvt-android.
Ao se trabalhar com dispositivos Android, deve ser instalado, adicionalmente, o Android SDK Platform Tools. Se você preferir instalar um pacote disponibilizado por sua distribuição de escolha, certifique-se de que a versão seja recente para garantir a compatibilidade com dispositivos Android modernos.
Instalação do Android Studio
O Android Studio foi instalado usando o Snap:
$ sudo snap install android-studio --classic
android-studio 2021.1.1.20 from Snapcrafters installed
$ snap list android-studio
Name Version Rev Tracking Publisher Notes
android-studio 2021.1.1.20 118 latest/stable snapcrafters classic
Instalação do MVT
$ pip3 install mvt
Defaulting to user installation because normal site-packages is not writeableSamsung Galaxy A12 Depuração USB
É necessário desbloquear as Opções do Desenvolvedor no Samsung Galaxy A12 para ativar a Depuração USB. Para isso abra o aplicativo Configurações, abra Sobre o telefone, abra Informações de software e clique sete vezes em Número da compilação para ativar as Opções do Desenvolvedor.
Quando o cabo USB for conectado entre o computador e o celular vai ser aberta a janela mostrada abaixo:
Você deve clicar em permitir todas as vezes que for mostrada uma janela pedindo permissão, mantenha a tela do celular visível.
Utilização do MVT
$ mvt-android check-adb
MVT - Mobile Verification Toolkit
https://mvt.re
Version: 1.4.3
Version 1.4.4 is available! Upgrade mvt!
10:00:58 INFO [mvt.android.cli] Checking Android through adb bridge
INFO [mvt.android.cli] Loaded a total of 0 unique indicators
INFO [mvt.android.modules.adb.chrome_history] Running module
ChromeHistory...
10:00:59 INFO [mvt.android.modules.adb.chrome_history] Insufficient
privileges for module ChromeHistory: This module is optionally
available in case the device is already rooted. Do NOT root
your own device!
INFO [mvt.android.modules.adb.sms] Running module SMS...
INFO [mvt.android.modules.adb.sms] Insufficient privileges for
module SMS: This module is optionally available in case the
device is already rooted. Do NOT root your own device!
INFO [mvt.android.modules.adb.whatsapp] Running module Whatsapp...
INFO [mvt.android.modules.adb.whatsapp] Insufficient privileges for
module Whatsapp: This module is optionally available in case
the device is already rooted. Do NOT root your own device!
INFO [mvt.android.modules.adb.processes] Running module
Processes...
INFO [mvt.android.modules.adb.processes] Extracted records on a
total of 504 processes
INFO [mvt.android.modules.adb.processes] The Processes module does
not support checking for indicators
INFO [mvt.android.modules.adb.dumpsys_accessibility] Running module
DumpsysAccessibility...
INFO [mvt.android.modules.adb.dumpsys_accessibility] Found
installed accessibility service "com.samsung.accessibility/.un
iversalswitch.UniversalSwitchService"
INFO [mvt.android.modules.adb.dumpsys_accessibility] Found
installed accessibility service "com.samsung.android.accessibi
lity.talkback/com.samsung.android.marvin.talkback.TalkBackServ
ice"
INFO [mvt.android.modules.adb.dumpsys_accessibility] Found
installed accessibility service "com.kms.free/com.kaspersky.co
mponents.accessibility.KasperskyAccessibility"
INFO [mvt.android.modules.adb.dumpsys_accessibility] The
DumpsysAccessibility module does not support checking for
indicators
INFO [mvt.android.modules.adb.dumpsys_batterystats] Running module
DumpsysBatterystats...
10:01:00 INFO [mvt.android.modules.adb.dumpsys_batterystats] The
DumpsysBatterystats module does not support checking for
indicators
INFO [mvt.android.modules.adb.dumpsys_procstats] Running module
DumpsysProcstats...
10:01:01 INFO [mvt.android.modules.adb.dumpsys_procstats] The
DumpsysProcstats module does not support checking for
indicators
INFO [mvt.android.modules.adb.dumpsys_packages] Running module
DumpsysPackages...
10:01:06 INFO [mvt.android.modules.adb.dumpsys_packages] The DumpsysPackages
module does not support checking for indicators
INFO [mvt.android.modules.adb.dumpsys_receivers] Running module
DumpsysReceivers...
10:01:08 INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state: "com.sec.hearingadjust/.Receiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state:
"br.com.santander.way/org.mbte.dialmyapp.app.AppReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state:
"org.telegram.messenger/.CallReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state: "com.kms.free/com.kaspersky.whocal
ls.services.IncomingCallReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state:
"com.santander.app/org.mbte.dialmyapp.app.AppReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state:
"com.kwai.video/com.kwai.yoda.event.YodaPhoneCallReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
monitoring telephony state: "com.mrnumber.blocker/com.hiya.cli
ent.callerid.ui.CallEventReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
to intercept incoming SMS messages:
"com.kms.free/com.kavsdk.shared.cellmon.SMSReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
to intercept incoming SMS messages: "com.rsupport.rs.activity.
rsupport.aas2/com.rsupport.rs.receiver.SmsEventReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
to intercept incoming SMS messages:
"org.thoughtcrime.securesms/.service.SmsListener"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
to intercept incoming SMS messages: "com.mrnumber.blocker/com.
hiya.stingray.receiver.SmsEventReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] Found a receiver
to intercept incoming SMS messages:
"com.kms.free/com.kms.kmsdaemon.SMSReceiver"
INFO [mvt.android.modules.adb.dumpsys_receivers] The
DumpsysReceivers module does not support checking for
indicators
INFO [mvt.android.modules.adb.dumpsys_full] Running module
DumpsysFull...
10:01:52 INFO [mvt.android.modules.adb.dumpsys_full] The DumpsysFull module
does not support checking for indicators
INFO [mvt.android.modules.adb.packages] Running module Packages...
10:06:29 INFO [mvt.android.modules.adb.packages] Found non-system package
with name "net.aljazeera.english" installed by
"com.android.vending" on 2022-01-07 14:30:10
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "org.telegram.messenger" installed by
"com.android.vending" on 2022-01-10 19:47:44
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.euronews.express" installed by
"com.android.vending" on 2022-01-07 14:17:55
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.shop" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 15:23:41
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.sree" installed by
"com.android.vending" on 2022-01-06 15:30:27
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "keepass2android.keepass2android" installed by
"com.android.vending" on 2022-01-06 16:44:43
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.gov.meugovbr" installed by "com.android.vending"
on 2022-01-07 15:34:34
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.whatsapp" installed by "com.android.vending" on
2022-01-06 15:51:38
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.google.android.apps.authenticator2" installed
by "com.android.vending" on 2022-01-06 16:27:39
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.com.valemobi.agora" installed by
"com.android.vending" on 2022-01-08 08:39:40
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.knowledgeview.tablet.arabnews" installed by
"com.android.vending" on 2022-01-07 14:43:00
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.sec.android.app.voicenote" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 17:55:21
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.santander.app" installed by
"com.android.vending" on 2022-01-06 23:09:43
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "bbc.mobile.news.ww" installed by
"com.android.vending" on 2022-01-07 14:48:14
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.cnn.mobile.android.phone" installed by
"com.android.vending" on 2022-01-18 22:45:07
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.deway.ampla" installed by "com.android.vending"
on 2022-01-07 14:55:18
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.cnn.brasil" installed by "com.android.vending"
on 2022-01-07 14:04:52
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.waze" installed by "com.android.vending" on
2022-01-06 17:13:39
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "brain.blow.quest" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 15:23:09
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "org.thoughtcrime.securesms" installed by
"com.android.vending" on 2022-01-14 18:30:05
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.kms.free" installed by "com.android.vending" on
2022-01-07 13:04:20
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.microsoft.office.outlook" installed by
"com.android.vending" on 2022-01-17 22:57:45
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.jus.tse.eleitoral.etitulo" installed by
"com.android.vending" on 2022-01-07 15:07:40
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.rt.mobile.english" installed by
"com.android.vending" on 2022-01-14 06:07:45
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "mnn.Android" installed by "com.android.vending" on
2022-01-13 08:41:28
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.taxis99" installed by "com.android.vending" on
2022-01-11 16:22:44
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.gov.datasus.cnsdigital" installed by
"com.android.vending" on 2022-01-07 15:31:48
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.twitter.android" installed by
"com.android.vending" on 2022-01-11 16:23:42
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.google.android.apps.docs" installed by
"com.android.vending" on 2022-01-11 16:24:54
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.com.sky.selfcare" installed by
"com.android.vending" on 2022-01-10 19:47:14
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.globo.g1.app" installed by
"com.android.vending" on 2022-01-07 14:45:17
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "eu.basicairdata.graziano.gpslogger" installed by
"com.android.vending" on 2022-01-07 15:00:00
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.google.android.videos" installed by
"com.android.vending" on 2022-01-06 15:23:56
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.netflix.mediaclient" installed by
"com.android.vending" on 2022-01-17 22:59:37
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.zhiliaoapp.musically" installed by
"com.sec.android.app.samsungapps" on 2022-01-18 18:00:00
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.google.android.apps.photos" installed by
"com.android.vending" on 2022-01-06 15:24:50
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.spotify.music" installed by
"com.android.vending" on 2022-01-14 06:12:37
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.thenerdguylulu.e_card" installed by
"com.android.vending" on 2022-01-07 15:46:34
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.sec.android.app.sbrowser" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 18:00:21
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.microsoft.office.officehubrow" installed by
"com.android.vending" on 2022-01-06 15:22:01
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.gov.serpro.cnhe" installed by
"com.android.vending" on 2022-01-07 15:24:32
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.bloomberg.android.plus" installed by
"com.android.vending" on 2022-01-13 08:39:30
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.bradesco" installed by "com.android.vending" on
2022-01-06 16:56:33
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.android.galaxy" installed by "None" on
2008-12-31 13:00:00
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.kwai.video" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 15:22:04
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.sec.android.app.popupcalculator" installed by
"com.android.vending" on 2022-01-06 15:27:47
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.android.voc" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 18:03:56
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.adobe.reader" installed by
"com.android.vending" on 2022-01-14 06:13:24
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.android.app.notes.addons" installed by
"None" on 2008-12-31 13:00:00
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.linkedin.android" installed by
"com.android.vending" on 2022-01-14 06:09:55
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.samsung.android.app.notes" installed by
"com.sec.android.app.samsungapps" on 2022-01-06 18:03:09
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.cnbc.client" installed by "com.android.vending"
on 2022-01-07 14:34:56
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.sec.android.easyMover" installed by
"com.sec.android.easyMover.Agent" on 2022-01-06 14:36:25
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.binance.dev" installed by "com.android.vending"
on 2022-01-10 19:45:11
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.vivaldi.browser" installed by
"com.android.vending" on 2022-01-07 13:11:24
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.com.santander.way" installed by
"com.android.vending" on 2022-01-10 19:08:28
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "oilprice.android.app" installed by
"com.android.vending" on 2022-01-07 14:37:09
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "wit.android.bcpBankingApp.millennium" installed by
"com.android.vending" on 2022-01-14 06:09:02
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.rsupport.rs.activity.rsupport.aas2" installed
by "com.sec.android.app.samsungapps" on 2022-01-06 18:06:27
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.mrnumber.blocker" installed by
"com.android.vending" on 2022-01-07 13:59:12
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.google.android.apps.youtube.music" installed by
"com.android.vending" on 2022-01-07 19:25:59
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "br.gov.rj.rio.iplanrio.servidorrioapp" installed by
"com.android.vending" on 2022-01-07 15:03:07
INFO [mvt.android.modules.adb.packages] Found non-system package
with name "com.idmedia.android.newsportal" installed by
"com.android.vending" on 2022-01-07 14:20:25
INFO [mvt.android.modules.adb.packages] Extracted at total of 418
installed package names
INFO [mvt.android.modules.adb.rootbinaries] Running module
RootBinaries...
10:06:30 INFO [mvt.android.modules.adb.rootbinaries] The RootBinaries module
does not support checking for indicators
INFO [mvt.android.modules.adb.logcat] Running module Logcat...
10:06:38 INFO [mvt.android.modules.adb.logcat] The Logcat module does not
support checking for indicators
INFO [mvt.android.modules.adb.files] Running module Files...
10:06:40 INFO [mvt.android.modules.adb.files] Found 3430 files in primary
Android data directories.
INFO [mvt.android.modules.adb.files] Flag --fast was not enabled:
processing full file listing. This may take a while...
Referências
- What is Pegasus Virus and How to detect it
- MVT (Mobile Verification Toolkit)
- Android Debug Bridge (adb)
- HardReset.info: Opções do Desenvolvedor SAMSUNG Galaxy A12
- How to Install Android Studio on Fedora 35
- Amnesty Tech
- Forensic Methodology Report: How to catch NSO Group’s Pegasus
- NSO Group
- Ataque de clique-zero: o que é?
- What is a zero-day exploit?