Study shows potentially higher prevalence of spyware infections than previously thought

High-powered spyware might be more prevalent on victims’ phones than commonly believed, research out Wednesday from iVerify suggests.

Devices that the mobile device security firm’s tech scanned found seven Pegasus spyware infections among 2,500 users who volunteered to participate in its investigation with a $0.99  version of its tech as an app.

“Our investigation detected 2.5 infected devices per 1,000 scans — a rate significantly higher than any previously published reports,” iVerify said in a blog post.

Even with the caveat that its users — and those who self-selected to participate in the investigation — are from a population more likely to be targeted for spyware infections, that still was a startling rate, said Rocky Cole, chief operating officer and co-founder of the company.

“Our findings suggest that commercial spyware in particular is far more prevalent than people think,” he told CyberScoop. Even if the study showed a drastically lower rate of infections than that, it would still make it larger than assumed, “given that the prevailing narrative has been that spyware is niche and only something that people wanted by law enforcement or activists and journalists have to worry about.”

Of the seven infections, all were located outside the United States; NSO Group, the maker of Pegasus spyware, has said it cannot target U.S. phone numbers. They were spread across Europe, the Middle East and countries located in the Southern hemisphere that are known as the Global South, Cole said.

The victims were, in fact, journalists and activists, but also business leaders not overtly involved in politics, Cole said.

The scans employed threat signatures from groups that study spyware, such as those that the University of Toronto’s Citizen Lab discovered. The infections stretched between 2021 and 2023, with the study occurring in May of this year. Almost all of the infections left identifiable traces, such as file names unique to Pegasus, and did not appear to indicate the spyware was still active on those devices, Cole said.