9

I recently came across reports in media that Whatsapp's services were exploited by a malware Pegasus for illegal surveillance of certain individuals. Pegasus, which exploits 0-day vulnerabilities, is known to infect a device just by visiting a malicious link from the user's device. The recent reports highlight that a vulnerability related to video calls in Whatsapp allowed Pegasus to infect any Whatsapp (up to infected versions) running Android device without user intervention.

I didn't anticipate this level of infiltration, and this is very scary. What preventive steps can I undertake to prevent Pegasus or alike malwares from infiltrating my device and from communicating with C&C servers? There must be something one can do to prevent exploitation or at least be alerted when the exploitation occurs.

I'm using Android 9.0 (OnePlus 6 device). It is rooted with Magisk and has EdXposed installed. I use AppOps (from Rikka) and XPrivacyLua Xposed module with complete blacklisting to prevent new apps from utilizing any dangerous permission of Android. I also use AFWall+ (IPTables based firewall app) in whitelist mode only, with new apps denied internet access. However, some reports claim that Pegasus infiltrates silently and can pretty much access any dangerous permission (in terms of privacy), so I am unsure that my defenses are up to the task.

What other automated defensive steps can I undertake?

Some common (and non-automated) suggestions are:

  • use latest Android versions with latest security patches -- only works best if Google is your OEM.
  • Keep your apps updated -- true, but developers in Android ecosystem often add unnecessary features (bloat) or permissions with new updates, so I often don't update all of my apps.
  • Don't sideload apps -- I don't, unless I can trust the source (such as F-Droid or some other reputable source)
  • Be careful with multitude of permissions demanded by Play Store apps -- I often don't download apps to begin with unless absolutely necessary.
  • Don't use a compromised device (rooted) -- I can't let go of root. It is critically important to me. But I do keep Magisk auto-deny root access to new apps.
  • "Do not open suspicious links" -- but it is incredibly hard to practice that in the real world, with personal phones that are handy and accessible 24x7.

For the purposes of reducing the scope of this question, you're free to target the latest available Android version only.

Firelord
  • 220
  • 1
  • 9
  • Disabling JavaScript would be a big one. Ad networks have a tendency to insert malicious JS, and 9 times out of 9.1 a web browser exploit requires JS. Preventing malware from communicating with C&C servers requires a whitelist, and even then they can use public, legitimate services to run commands (pretty sure there was a bot or PoC that used Twitter messages for C&C). – user Nov 01 '19 at 13:19
  • I would have suggested installing [grapheneOS](https://grapheneos.org) since it has numerous hardening features built-in, but it is only officially supported on latest google pixel devices. – nobody Jan 19 '22 at 17:45

2 Answers2

1

You cannot.

A Zero Day is, by definition, unknown to anyone but the attackers. Even if you keep your phone updated, all apps updated, have installed security programs, only use trusted networks, don't open anything suspicious and have a security conscious behavior, a zero day can catch you.

The only way to prevent this is to use a second device that the attackers don't know exists. You will have your public device, where you use Whatsapp, tweet things, post on social media, and will have a shadow device that stays shutdown all the time, turning it on only from time to time to catch up the messages you need, and get dark again. Write any replies offline, reconnect and let the apps send the messages. Wipe it and reinstall everything from time to time.

And you need two identities too. One public one with nothing interesting to the attacker, and the shadow one linked to the shadow device. Reducing the usage time of the device to the absolute minimum and keeping the least amount of data on it will make it very hard to an attacker to even know that device exists, and protect you if they ever got into it.

The weak part here is your behavior. If you use the shadow identity on the public device, or the public identity on the shadow phone, the attacker can correlate both devices and find you.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • I'm no security expert, but I know that you can certainly protect yourself against "0-day" exploits by reducing the attack surface, i.e. closing ports, limiting the applications you use (esp. to those which typically exhibit less exploits), and sometimes "hardening" certain configuration parameters. Is none of this relevant? – einpoklum Jan 19 '22 at 10:04
  • @einpoklum Reducing the risk is good, but you cannot reduce every single risk. Hardening will make your system more secure, but no amount of hardening and surface reduction can make it invulnerable. If there's a 0-day on the baseband radio on your phone, or on the filesystem kernel driver on your server, there's nothing you can do to protect yourself. – ThoriumBR Jan 19 '22 at 12:10
  • OP didn't ask about hermetic protection only. – einpoklum Jan 19 '22 at 17:10
  • @einpoklum That's exactly what the answer suggests. Have a second device with limited attack surface for sensitive things, because it is often impractical to seriously limit the attack surface on your primary device. – nobody Jan 19 '22 at 17:39
-1

Direct answer: By they're nature, it is impossible to be protected from 0-day vulnerabilities being exploited because it isn't known how they'll the exploit will work. Not clicking on "un-expected or suspicious" links is a number one protection. Perhaps apps like WhatsApp need a better way to display what the destination of the link will be or the link itself.

By using root, you're at risk - at least to attacks in general. By using a rooted device, you're at risk. However, I will admit I don't know anything about the mitigation software you discuss.

The Pegasus attacks are highly targeted to influential, political targets. It is highly unlikely the average person will get targeted, or that a random spray attack will take place (if that was possible).

Rick
  • 138
  • 4