I recently came across reports in media that Whatsapp’s services were exploited by a malware Pegasus for illegal surveillance of certain individuals. Pegasus, which exploits 0-day vulnerabilities, is known to infect a device just by visiting a malicious link from the user’s device. The recent reports highlight that a vulnerability related to video calls in Whatsapp allowed Pegasus to infect any Whatsapp (up to infected versions) running Android device without user intervention.
I didn’t anticipate this level of infiltration, and this is very scary. What preventive steps can I undertake to prevent Pegasus or alike malwares from infiltrating my device and from communicating with C&C servers? There must be something one can do to prevent exploitation or at least be alerted when the exploitation occurs.
I’m using Android 9.0 (OnePlus 6 device). It is rooted with Magisk and has EdXposed installed. I use AppOps (from Rikka) and XPrivacyLua Xposed module with complete blacklisting to prevent new apps from utilizing any dangerous permission of Android. I also use AFWall+ (IPTables based firewall app) in whitelist mode only, with new apps denied internet access. However, some reports claim that Pegasus infiltrates silently and can pretty much access any dangerous permission (in terms of privacy), so I am unsure that my defenses are up to the task.
What other automated defensive steps can I undertake?
Some common (and non-automated) suggestions are:
- use latest Android versions with latest security patches — only works best if Google is your OEM.
- Keep your apps updated — true, but developers in Android ecosystem often add unnecessary features (bloat) or permissions with new updates, so I often don’t update all of my apps.
- Don’t sideload apps — I don’t, unless I can trust the source (such as F-Droid or some other reputable source)
- Be careful with multitude of permissions demanded by Play Store apps — I often don’t download apps to begin with unless absolutely necessary.
- Don’t use a compromised device (rooted) — I can’t let go of root. It is critically important to me. But I do keep Magisk auto-deny root access to new apps.
- “Do not open suspicious links” — but it is incredibly hard to practice that in the real world, with personal phones that are handy and accessible 24×7.
For the purposes of reducing the scope of this question, you’re free to target the latest available Android version only.