Mobile Security, Spyware, and Advanced Protections

Mobile devices are the primary targets for surveillance in Iran due to their abundance of sensors (GPS, microphone, camera) and the wealth of personal data they contain. For Iranian users, threats range from mass surveillance via domestic apps and SMS interception to targeted attacks using sophisticated spyware like Pegasus or domestic equivalents used by security agencies.

This guide consolidates strategies to harden mobile operating systems, prevent physical and remote extraction, and detect indicators of compromise.

---

I. The Threat Landscape in Iran

1. State-Sponsored Spyware & Domestic Malware

While high-profile tools like Pegasus (NSO Group) and Predator are used against top-tier targets, the vast majority of Iranian users face domestic malware. These are often disguised as:

• VPN applications.
• "Sana" (Judiciary) electronic notification apps.
• Subsidy (Yaraneh) registration tools.
• Unofficial Telegram clients (e.g., Mobogram, Talagram).

2. Physical Seizure and Extraction

Security forces frequently seize devices at checkpoints, protests, or during arrests. They utilize forensic devices (such as Cellebrite or similar Chinese/Russian technologies) to bypass locks and extract data.

3. SIM Swapping and SMS Interception

Telecommunication providers in Iran (MCI, Irancell, RighTel) operate under strict state monitoring. State actors can easily intercept SMS 2FA codes or perform SIM Swaps (transferring your number to a SIM they control) without your consent.

---

II. Fundamental Device Hardening

Before addressing advanced spyware, basic hygiene must be enforced to prevent common attacks.

1. Screen Lock and Biometrics

Do not rely on Face ID or Fingerprint alone.

• Risk: In a detention scenario, you can be physically forced to unlock your phone using biometrics.
• Recommendation: Use a strong, alphanumeric passphrase (at least 12 characters).
• Emergency Action: Learn how to quickly disable biometrics:
  • iOS: Hold the Power button and either Volume button for 3 seconds.
  • Android: Use the "Lockdown" option (if enabled in settings) to turn off biometrics instantly.

2. Daily Reboot Schedule

Many modern exploits (zero-click) are non-persistent, meaning they reside in the device's memory (RAM) and are wiped upon reboot.

• Action: Reboot your phone every morning. This forces an attacker to re-infect the device to regain access, increasing their cost and risk of detection.

3. App Source Hygiene

Never download apps from Telegram channels or links sent via SMS. State-sponsored malware is almost exclusively distributed via links claiming to be official government services or through third-party Iranian app stores that may be compromised or coerced.

• Recommended Sources:
  • Google Play Store / Apple App Store: Generally safer, though privacy-invasive.
  • Aurora Store: An anonymous client for the Google Play Store (useful if you lack Google Play Services or want to avoid logging in).
  • F-Droid: For open-source, audit-friendly applications.
  • Obtainium: For downloading updates directly from a developer's GitHub/GitLab releases (bypassing stores entirely).

---

III. Advanced Hardening Modes

For high-risk users (activists, journalists), standard settings are insufficient. Use the "Panic Button" modes provided by OS vendors.

1. iOS: Lockdown Mode

Introduced in iOS 16, this is the most effective defense against mercenary spyware like Pegasus.

• How to Enable: Settings > Privacy & Security > Lockdown Mode.
• What it does:
  • Blocks most message attachments.
  • Blocks incoming FaceTime calls from unknown numbers.
  • Disables complex web technologies (JIT compilation) that are often used in exploits.
  • Blocks USB connections when the phone is locked.
• Impact: Some websites may load slower, and link previews are disabled. This is a worthwhile trade-off for safety.

2. Android: Advanced Protection & GrapheneOS

• Google Advanced Protection: Designed for high-risk users. It restricts app installation to the Play Store and blocks unauthorized account access.
• GrapheneOS (The Gold Standard): If you possess a Google Pixel device, install GrapheneOS. It is a hardened, privacy-focused operating system that removes Google tracking code and implements memory protections (hardened_malloc) that make it significantly harder for spyware to function.
  • Includes: Auditor App for hardware-based verification of device integrity.

---

IV. SIM Security and Anti-Surveillance

1. Lock Your SIM Card

Prevent someone from taking your physical SIM card and using it in another phone to receive your OTP codes.

• Action: Go to Settings and set a SIM PIN.
• Warning: Do not guess. If you fail 3 times, the SIM locks and requires a PUK code (found on the card holder or via the carrier).

2. Abandon SMS for Authentication

Assume all SMS traffic in Iran is readable by the Data Communication Company of Iran (TCI) and intelligence services.

• Action: Switch all accounts (Gmail, Twitter, Telegram) to Authenticator Apps or hardware keys (YubiKey).
• Attack Vector: Attackers often trigger a password reset via SMS and intercept the code to hijack accounts.

---

V. Spyware Detection and Forensics

Detecting sophisticated spyware is difficult. "Anti-virus" apps are generally useless against state-grade tools like Pegasus.

1. Indicators of Compromise (IoC)

While sophisticated spyware tries to remain hidden, watch for:

• Unexpected battery drain or overheating.
• High data usage by system services.
• Random reboots or interface glitches.
• "Checkra1n" or "Cydia" appearing: Indicators that a physical seizure involved a jailbreak attempt.

2. Verification Tools (For Advanced Users)

• Mobile Verification Toolkit (MVT): Developed by Amnesty International. It scans backup files (iTunes backup for iOS) for forensic traces known to be associated with Pegasus.
  • Note: Requires a computer (Linux/macOS) and command-line knowledge.
• iMazing (iOS): A user-friendly tool that incorporates MVT's scanning capabilities to check for spyware traces.
• Auditor (Android - GrapheneOS only): Uses hardware attestation to ensure the operating system hasn't been tampered with or downgraded.

Warning: A "clean" scan does not guarantee safety. New variants of spyware may not yet have public signatures.

---

VI. Incident Response: What if you are infected?

If you suspect your device is compromised by state spyware:

1. Disconnect Immediately: Enable Airplane Mode. Turn off Wi-Fi and Bluetooth. Ideally, place the phone in a Faraday Bag (or a microwave/fridge unplugged as a temporary shield) to block remote wiping or data transmission.
2. Cease Sensitive Communication: Do not use the device to contact colleagues. Use a secondary, clean channel.
3. Do Not Unlock: If the device was seized and returned, do not unlock it with your biometric or passcode, as it may trigger a payload.
4. Forensic Assessment: If you are a high-risk individual, contact Amnesty Tech Security Lab or Access Now for forensic assistance.
5. The Nuclear Option:
   • Factory Reset: This may remove non-persistent malware, but sophisticated rootkits can survive.
   • Device Abandonment: The safest course of action for a confirmed hardware compromise is to physically destroy the device and replace it.

---

VII. Summary Checklist for Iranian Users

Related Resources

• [[Desktop_OS_Hardening_and_Malware_Prevention]]
• [[Countering_Social_Engineering_Phishing_and_Scams]]
• [[Operational_Security_OpSec]]