I Spent An Evening Trying Out iMazing’s iPhone Spyware Detection Feature… Here’s How It Went

A while ago I wrote about a product called iMazing which among other things claimed to “easily” detect spyware from The NSO Group among other types of spyware. At the time I promised that I would try it out and see what it was like. I finally got around to doing that last night. And here’s how it went for me.

First of all, let me get this out of the way. It is extremely unlikely that 95% of you or more have any spyware on your iPhone. That’s because spyware on the iPhone tends to be aimed at specific targets. Such as journalists, human rights activists or government officials. And on top of that, while exploits do exist for iOS devices, they are rare and highly valuable as iOS is a highly secure OS by default. Which is why groups like The NSO Group are in a cat and mouse game with Apple to use these exploits before Apple shuts the down. Which means that those exploits are more likely to be used on a high value target rather than the common person with an iPhone 13.

Having said all that there is a school of thought that says that it pays to be sure that you aren’t one of the 5%. That’s where iMazing comes in. Here’s how it works. The short answer is that iMazing makes a backup of your iPhone, and then performs an analysis on it to see if you have any spyware type activity.

The more nerdy answer adds to what I said above via this statement from the company:

iMazing’s spyware detection tool is available as a free feature in iMazing 2.14 and above. It can be used to detect signs of infection by NSO’s Pegasus and has the potential to evolve to detect other threats. The methodology implemented closely mirrors that of the open-source Mobile Verification Kit by Amnesty International’s Security Lab. The ability for the user to customize the analyzer by providing indicators of compromise in STIX format may be useful for early investigations of future threats. For more context on the development of iMazing’s spyware detection tool, please refer to this blog post.

So all you need to do is to follow the instructions in this document which will require you to connect your iPhone to your computer and have iMazing perform an encrypted backup using the “Detect Spyware” option. It will then analyze the backup and produce a report in the form of a spreadsheet. All analysis is local to the computer in case you were wondering if iMazing gets to see your data. The whole process takes anywhere from 10 to 20 minutes and is largely painless. In my case I got a report that said that I had no spyware on my iPhone. But I did get 7 warnings.

The timestamp traces back to a suspicious text that I was investigating. The text had a link in it and the link never opened in Safari. Thus this is explainable. And according to iMazing, HTTP redirections, indicator matches, and signs of manipulated entries will end up in entries like the above. HTTP redirects are logged as warnings to bring your attention to them. And they are not a sign of infection in themselves as long as they do not point to a known malicious domain. Other than that, my iPhone was clean.

Now there are some things to note:

  • There are some differences between iMazing’s tool and the one from Amnesty International. iMazing works only with iPhone, and it does not support analyzing from jailbroken devices.
  • In the interests of privacy, iMazing does not save extracted records to the analysis file. The process happens in system memory, then the results are exported and the memory is wiped.
  • iMazing cannot prevent a spyware infection. It can only tell you if you have one. That means that you have to still be careful so that you don’t get infected. Doing things like ensuring that you have an up to date OS on your phone, you don’t click on links that you get from anyone, and the like will keep you safer. Though I will point out that Pegasus which is the spyware that The NSO Group serves up is zero click in nature. Meaning that if you’re a target of one of their customers, you’ll get pwned no matter what you do as it require zero interaction from you to take over your iPhone.
  • If your iPhone does come back as positive for spyware, you need to reach out to iMazing here and have them analyze your backup. In the meantime, you should refrain from any communications which may put you at risk but keep using the device as you did before so as not to reveal that you have become aware of the infection. Assuming that you don’t have a false positive which iMazing can confirm. If you don’t have a false positive, they will put you in touch with professional help.

iMazing goes for $59.99 CAD per year for unlimited devices and has the option for doing a one time purchase based on the number of devices that you want to use iMazing with starting at $44.99 CAD for one device. But the spyware scanning functionality is free.

Again, I will point out that it is highly unlikely that 95% or more of you would be a target for spyware. But if you think you are one of those 5%, or you just want to be sure that you aren’t infected with something evil, iMazing has a solution for you.

One Response to “I Spent An Evening Trying Out iMazing’s iPhone Spyware Detection Feature… Here’s How It Went”

  1. richardwpearce Says:

    iMazing also allows another action that can be of great use.
    You can see and print out your Messages from the downloaded Message app. I’ve found it very handy to preserve Messages.

Leave a Reply

%d bloggers like this: