Indian infosec firm CloudSEK warned on Wednesday that scammers are selling counterfeit code advertised as the NSO Group's notorious Pegasus spyware.

"Threat actors created their own tools and scripts, distributing them under Pegasus's name to capitalize on its notoriety for financial gain," alleged the firm.

In case you've come in late, Pegasus offers "zero-click" compromise of mobile devices. Its developer, Israel's NSO group, claimed it would only sell the tool for legitimate law enforcement applications and vetted its customers. But in 2021 Amnesty International alleged widespread abuse of the tool to spy on heads of state, academics, diplomats, and human rights advocates.

CloudSEK researchers found the fake spyware after perusing around 25,000 posts of individuals offering Pegasus and other NSO tools on the messaging service Telegram. They next interacted with over 150 potential sellers, who provided access to 15 samples and over 30 indicators of compromise.

"These indicators encompassed the source code of their purported official Pegasus samples, live video demonstrations of samples in operation, the file structure of the samples, and snapshots of the source code," wrote report author Anuj Sharma.

The firm deduced nearly all samples were fraudulent and ineffective - yet some were on sale for hundreds of thousands of dollars. One seller offered permanent access to what it purported was Pegasus for $1.5 million - and allegedly made four sales in two days.

Fake spyware was also found on other code-sharing platforms, where CloudSEK claims actors were "disseminating their own randomly generated source codes."

CloudSEK probed sales of Pegasus after Apple's April decision to stop attributing spyware-related attacks to a specific source or perpetrator and instead to categorize them broadly as "mercenary spyware."

The change coincided with notifications of remote iPhone compromise in 92 countries.

CloudSEK wasn't the only entity to act after Apple’s change of tone. Its researchers found that the group selling (fake) permanent access to Pegasus internally shared and cheered the Apple advisory when it was released.

Sharma reckons the fraudulent code slingers gain more than just branding leverage by advertising the product as from NSO Group - it also helps them remain under the radar while selling custom-built spyware under a different entity's name.

The Reg asked NSO Group to comment on the counterfeits and their impact on its business, and will update should a substantial reply materialize. ®

https://www.theregister.com//2024/05/23/fake_pegasus_spyware_circulating/