September 2, 2016

min read

Device Already Infected With Pegasus? Updating Your OS Won’t Help

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we've received many clarifying questions from security professionals. In this series we're answering the top queries we've received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why doesn’t the iOS 9.3.5 update fix a previously-infected device?

Get an in-depth walk-through of this attack in this webinar of Lookout Vice President of Security Research Mike Murray.

Updating a device to the latest iOS version will not remove or identify a pre-existing Pegasus infection on a device.

When Apple learned about the Trident iOS vulnerabilities used in the Pegasus attack, a serious form of mobile spyware, the company immediately patched the holes and sent an update out to users.

If an attacker already infected a device with Pegasus, updating to iOS 9.3.5 (the latest version of iOS) would only close the vulnerabilities used by Pegasus, but it does not remove the spyware itself.

Pegasus software can update itself, and we should expect that the organization is moving to keep its software viable and circumvent protections that have been put in place to stop them. This means compromised devices could still be at risk and your enterprise needs to know about it.

Apple’s iOS 9.3.5 update will also not alert you to the fact that Pegasus was on the device, and victims won’t realize that they have been infected. Without Lookout, the targeted victim would have no way to tell if their device was infected, a crucial element of the Pegasus attack.

Your organization needs to know if an employee’s devices is infected, otherwise it will not be able to conduct a forensic investigation to understand the scope, timing, and implications of the breach that already occurred. This kind of data is crucial for the enterprise to know what steps to take next.

Get even more information on our official Pegasus and Trident page.

Think your device has been impacted by Pegasus? Contact us.