How can one determine from ones own device (an iPhone for example) if it’s been compromised with malware?

I’ve never seen my phone present any kind of scan results or notice of infection, nor are there any kind of malware scanning apps in the App Store (since they wouldn’t be able to leave the app jail to scan anyway)

Is this just like a glaring hole in mobile security for iOS?

1. Make an iTunes backup.

2. Use the tool in question to identify IoC (indicators of compromise).

You're literally commenting on a tool that does this ;)

I’m actually asking a slightly different question:

How do I run a tool like this on my idevice itself?

As mobile malware becomes more prolific, is the paradigm we want to set to find it really you make a back up and run a tool on it on your PC?

That UX won’t work for 90% of mobile users

Would you trust an app on your phone, that you suspect is rooted with malware?

If Pegasus knows these "on device malware detection" apps exist, they'll just add them to the list ion things their malware (which runs with significantly more privileges than an app you download from the app store) modifies/breaks/circumvents.

You can't because of sandboxing, which is arguably a very good thing.

Did anyone grock how this is working? I just scanned the code quickly, for WhatsApp It looks like it’s extracting your message backups - basically recreating what a hack would do? I then assume that it compares these extracts to what’s leftover on the device and wasn’t cleaned up?

It looks at various indicators of compromise that are linked to malicious compromise. As one specific example, Pegasus is known to try and hide its tracks by deleting some log files. Their deletion is incomplete and corrupts the log database though, so it produces a very traceable, "you have been hit by Pegasus" indicator.

A (partial) list of Pegasus C&C servers is also known, and some iOS log files store hostnames you have connected to in the past.

It's fairly standard IoC analysis -- lots of malware leave traces on the client endpoint in question.

Has anyone found a (the) good "Indicators" (IoC) file to compare against? I have a number of large JSON files as the output of the tool, but it's way too much to sort through manually.

I see a list of url that might be a endpoint of exploit, does anybody knows how to monitor connections to those url from your LAN? Is it efficient to setup such defense? And where can I download the list of Pegasus servers?

I think the urls in that repo are just short url services. You need to provide IOC (indicators of compromise) files in a specific format and it will check any short urls to expand them out and compare against the provided list.

https://oasis-open.github.io/cti-documentation/stix/intro

can probably flag it with pihole (https://pi-hole.net/)

Is there anything like this that can be installed from the app store?

I strongly doubt an iphone app can have sufficient access to the phone to do anything useful.

Maybe if the app bundled an exploit. But that's unlikely to be sustainable.

I think this is an interesting question though, why can we run our own anitivirus on our target computers to check for viruses but not on our own phones.

Because anything with enough privileges to be an antivirus has enough privileges to be a virus, and the mobile OS makers err on the side of caution.

I'd be happy if the OS had bare checksums to warn about unexpected file or permission changes. It might feel like running uMatrix, so maybe not a great idea though.

URLs are given.

Didn’t Amazon just shutdown the servers belonging to such a group?

pihole probably would be too late to stop them anyway.