Citizen Lab Lists Measures You Can Take to Protect Your Accounts From Spyware

Citizen Lab has put together a list of 'to-do's to ensure Android users are able to save their electronic gadgets.

Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy of the University of Toronto, has been in the thick of the WhatsApp controversy and has been enabling the application to reach out to all those profiles in India and across the globe which have come under “digital attack”.

Several rights activists, lawyers, journalists, professors and even university students have had their WhatsApp profiles compromised by the Israeli malware Pegasus.

This Israeli NSO Group’s spyware has already been dragged to San Francisco’s federal court by WhatsApp. While the organisation has claimed it had only sold the spyware to governments and has no direct role to play in this, the extent of damage and compromise of data is huge.

Also read: Meet the Indian Lawyers and Activists ‘Targeted’ Using Israeli Spyware Pegasus

Citizen Lab, as a part of their research, and legal engagement at the intersection of information and communication technologies, human rights, and global security have put together a list of “to-dos” to ensure Android users are able to save their electronic gadgets.

In a four-step process, Citizen Lab has explained security measures that need to be taken to protect Android-based devices. It is being produced below.

“Our suggestions are based on Citizen Lab’s current knowledge of mobile spyware (including Pegasus). However, we cannot guarantee that the following steps will ensure your digital safety. They should be understood as mere guidance and not a replacement for tailored, one-on-one support from a digital security expert,” the Lab states. 

Step 1: De-link cloud accounts 

According to reports, Pegasus spyware can steal credentials (‘tokens’) from your device, letting an attacker continue to access your online accounts even after your device is no longer infected.

Also read: Israeli Spyware: India Asks WhatsApp For Answers, But What Should We Really Be Asking?

For example, the Google account attached to your device could be accessed by an attacker on a continuing basis, letting an attacker read your Gmail messages, or view your photographs.

Citizen Lab believes that one can block some potential unauthorised access to their accounts by logging out of these accounts using the Android phone that one is currently using.

Resources to De-Link Cloud Accounts

Step 2: Replace your device 

Citizen Lab currently believes that an infection with Pegasus spyware can survive a factory reset on some Android phones.

However, based on their experience, Citizen Lab has admitted that they do not know the full range of devices for which this applies. Therefore, they recommend replacing your phone if you have been a target of Pegasus spyware.

Step 3: Change your passwords

Once you have obtained a new phone, you should change the passwords for the cloud accounts that were attached to your original phone, as well as any other accounts that you use regularly.

Change Your Passwords

Changing passwords can be frustrating and time consuming, but it is essential to ensure that an attacker cannot continue to access your accounts using a stolen password.

One can also use a Password Manager to help in quickly creating a strong new passwords for one’s accounts.  Make sure to use a different password for each account or service.

Step 4: Enhance your online safety

One may be at risk from other forms of digital targeting or from spyware like Pegasus in the future. Being targeted means that someone invested time and resources in an effort to access your personal device.

Citizen Lab says Security Planner is a good basic place to start improving one’s digital safety.

This online tool asks you a few questions about the devices and services that you use and provides basic digital security recommendations.