Local Detection of Spyware Indicators & Compromise Signals
RAILGUN includes Threat Shield — a multi-layered detection system that scans your device for known indicators consistent with Pegasus-class compromise, Predator, FinSpy, and other surveillance software. When enough indicators are present, RAILGUN escalates its response — up to refusing to operate on a device it believes is compromised.
Why This Matters
NSO Group's Pegasus can silently intercept messages before encryption by reading the screen, logging keystrokes, or accessing the microphone and camera. End-to-end encryption is meaningless if the endpoint device is compromised. Threat Shield addresses the endpoint security gap that no other messaging app tackles.
What Threat Shield Can and Cannot Do
Threat Shield is a risk engine, not a magic oracle. It raises the cost and complexity of attacking a RAILGUN user, but no software can guarantee detection of every possible compromise. Here is an honest accounting:
Can detect many known indicators of compromise (IOCs) and suspicious runtime conditions.
Can catch some forms of interception, instrumentation, hostile environment tampering, and C2 communication.
Can escalate response proportionally — from a warning through to full lockdown — based on composite evidence.
Cannot guarantee detection of every zero-click or in-memory implant. Sophisticated attackers with nation-state resources can develop novel techniques that evade known indicators.
A “clear” result is not proof that a device is clean. It means no known indicators were found at the time of the scan.
1. Detection Architecture
Threat Shield uses a two-layer defense model, inspired by the approach used by Amnesty International's MVT (Mobile Verification Toolkit), adapted for real-time desktop detection. An additional Update Shield gates the update mechanism on device health.
Layer 1: Static
File artifacts, certificates, process enumeration, stalkerware detection, debugger & injection checks. Runs on every app launch. ~50ms.
Layer 2: Behavioral
C2 network connection monitoring, CPU usage anomalies, suspicious listening ports, library injection detection. Runs every 15 minutes.
Update Shield
Blocks updates if device appears compromised. Verifies binary hash against signed manifest before applying.
Each layer produces a set of Threat Indicators — individual findings with a severity score. These are aggregated into a final Threat Level that determines the app's response.
2. Layer 1: Static Indicator Analysis
On every launch, Threat Shield checks for known Indicators of Compromise (IOCs) — file paths, process names, and certificate anomalies that are known signatures of specific spyware families.
File Artifact Scanning
Pegasus and similar spyware leave traces in predictable locations. These are derived from Amnesty International's MVT database and Citizen Lab research:
// macOS — Pegasus persistence via LaunchAgents
~/Library/LaunchAgents/com.apple.icloud.searchpartyd.plist
~/Library/LaunchAgents/com.apple.assistantd.plist
// Pegasus staging directories (from MVT forensic analysis)
/private/var/tmp/BridgeHead
/private/var/tmp/.spotlightextractor
/tmp/.reports
// iMessage exploit artifacts (FORCEDENTRY / FINDMYPWN)
~/Library/SMS/Attachments/.com.apple.sms.plist
// Windows — Candiru / DevilsTongue
C:\ProgramData\Microsoft\DeviceSync\
C:\Users\Public\Downloads\.cache\
The algorithm is simple but effective: for each known artifact path, check if the file or directory exists. If it does, emit a ThreatIndicator with the appropriate severity and spyware name.
Process Enumeration
Threat Shield enumerates running processes and checks against known spyware process names:
// Algorithm (pseudocode)
processes = exec("ps aux") // or tasklist on Windows
for each process in processes:
for each known_signature in SPYWARE_PROCESSES:
if process.name matches known_signature:
emit ThreatIndicator(
category: "known_spyware",
severity: known_signature.severity,
spywareName: known_signature.name
)
Debugger & Instrumentation Detection
Spyware often attaches debuggers or instrumentation frameworks (Frida, Xposed) to intercept function calls. Threat Shield checks for:
// Check for active debugger
if (process.env.ELECTRON_IS_DEBUGGER) → suspicious
// Check for Frida (dynamic instrumentation)
scan for "frida-server" in process list
scan for frida-agent.dylib in loaded libraries
// Check for root/jailbreak indicators
exists("/Applications/Cydia.app")
exists("/usr/sbin/sshd") on mobile
writable("/private/") → jailbreak indicator
3. Layer 2: Behavioral & Network Monitoring
Advanced spyware like Pegasus may not leave static file artifacts (especially zero-click exploits that operate entirely in memory). Layer 2 detects anomalous runtime behavior and network connections that indicate active surveillance. These checks run every 15 minutes in the background.
C2 Network Connection Monitoring
Spyware communicates with Command & Control (C2) servers to exfiltrate data. Threat Shield checks active network connections against known C2 infrastructure from public threat intelligence:
// Check active connections against known C2 IPs
connections = exec("netstat -an | grep ESTABLISHED")
for each prefix in KNOWN_C2_IP_PREFIXES:
if connections.includes(prefix):
emit ThreatIndicator(severity: "high")
// Also check against known C2 domains
host_connections = exec("lsof -i -nP | grep ESTABLISHED")
for each domain in KNOWN_C2_DOMAINS:
if host_connections matches domain pattern:
emit ThreatIndicator(severity: "high")
Sources: Amnesty International, Citizen Lab, and open threat intelligence feeds. Includes known NSO Group infrastructure, Cytrox/Intellexa domains, and documented Pegasus CDN fronts.
CPU Usage Anomaly Detection
Spyware performing data exfiltration, audio/video capture, or keylogging consumes measurable CPU. Threat Shield establishes a baseline and flags significant deviations between scan intervals:
// CPU delta detection between 15-minute scans
cpu_usage = process.cpuUsage()
total_cpu = (cpu_usage.user + cpu_usage.system) / 1e6 // seconds
if baseline exists:
delta = total_cpu - baseline
if delta > 60: // 60+ CPU-seconds between scans
emit ThreatIndicator(severity: "low")
baseline = total_cpu
This catches background exfiltration that Pegasus performs in bursts. A single CPU anomaly emits a low-severity indicator — it takes corroborating static evidence to escalate beyond SUSPICIOUS.
Suspicious Port Detection
Certain listening ports indicate active instrumentation or proxy interception:
// Ports checked
27042, 27043 // Frida default ports → critical
1080 // SOCKS proxy → medium
8080, 8888, 9090 // Common proxy/debug ports → low
Library Injection Detection
On macOS, spyware injects dynamic libraries into running processes. Threat Shield checks for known injection mechanisms and suspicious loaded libraries:
// macOS: Check for injected libraries
if DYLD_INSERT_LIBRARIES is set → critical
if LD_PRELOAD is set → critical
loaded_libs = exec("vmmap PID | grep .dylib")
suspicious_patterns = ["frida", "substrate", "cycript", "inject", "hook", "spy"]
for each lib in loaded_libs:
if lib matches any suspicious_pattern:
emit ThreatIndicator(severity: "high")
4. Threat Scoring
Individual indicators are aggregated into a composite threat level using severity classification. This prevents false positives from a single low-confidence indicator while ensuring high-severity findings trigger immediate action.
Severity Classification
| Severity | Example |
|---|---|
| Critical | Pegasus staging directory found, Frida ports open, DYLD injection |
| High | C2 IP/domain match, MitM proxy certificate, debugger attached |
| Medium | System proxy active, SOCKS port listening, excess certificates |
| Low | CPU usage anomaly, common proxy/debug port open |
Escalation Logic
// Threat Level determination
if any indicator.severity == "critical":
level = CONFIRMED
else if count(severity == "high") >= 2:
level = CONFIRMED
else if has_static_evidence AND (has_high OR medium_count >= 3):
level = PROBABLE
else if has_high OR medium_count >= 3:
level = SUSPICIOUS // capped without static corroboration
else if medium_count > 0 OR has_low:
level = SUSPICIOUS
else:
level = CLEAR
False Positive Mitigation
Correlation requirement: Behavioral indicators (Layer 2) alone cannot escalate beyond SUSPICIOUS. At least one static (Layer 1) indicator must be present to reach PROBABLE. This means a coincidental CPU spike or a developer running Charles Proxy will not lock you out of the app.
Critical severity bypass: Critical findings (Pegasus file artifacts, Frida injection, DYLD library hijacking) immediately escalate to CONFIRMED regardless of source, because these are unambiguous indicators of compromise.
5. Automated Response
When a threat is detected, RAILGUN takes automatic protective action scaled to the threat level:
Normal operation. No indicators found.
Warning banner shown. User is advised to investigate. App continues to function. Scheduled rescan in 5 minutes.
Reduced mode: message sending is paused. Key operations (export, re-register) are blocked. User is strongly advised to run a full device scan with external tools.
LOCKDOWN: RAILGUN enters a controlled emergency state. Message decryption is suspended and private keys are securely erased from this device. Your account, encrypted message history, and contacts are preserved server-side. Recovery on a clean device is straightforward — see the Recovery Flow section below.
6. Lockdown Recovery Flow
A CONFIRMED lockdown is a serious event — it means RAILGUN believes the device is compromised and has taken protective action. This is designed as a controlled emergency procedure, not a self-destruct. Here is exactly what happens and how you recover.
What Gets Wiped
• Private encryption keys for the current device are securely erased from local storage.
• Decrypted message cache in memory is purged immediately.
• Active session tokens are invalidated so the compromised device cannot impersonate you.
What Is NOT Lost
• Your account — username, identity, and contacts remain on the server.
• Encrypted message history — ciphertext stored server-side is untouched. Messages can be re-decrypted after key re-establishment on a clean device.
• Community memberships, roles, and permissions.
• Recovery codes — these are generated at registration and should be stored offline. They are your path back in.
How to Recover on a Clean Device
Secure a clean device. Factory reset the compromised device, or use a different device entirely. Consider professional forensic analysis of the compromised hardware.
Install RAILGUN on the clean device.
Log in with your recovery code. This re-authenticates your identity and initiates new key generation (X3DH key bundle) for the clean device.
New ratchet sessions are established automatically with your contacts. Forward secrecy means the old device's keys cannot decrypt future messages.
Rotate your recovery codes from the new device as a precaution.
Do You Need a Second Trusted Device?
No. Recovery codes are the single recovery mechanism and are designed to work from any new device. However, if you have RAILGUN active on a second device, it can serve as an additional verification channel to confirm your identity during re-setup.
7. Known Spyware Signatures
Threat Shield maintains an up-to-date database of indicators for these known surveillance tools:
| Spyware | Vendor | Detection Method |
|---|---|---|
| Pegasus | NSO Group (Israel) | File artifacts, LaunchAgent persistence, iMessage exploit traces, C2 domains |
| Predator | Cytrox / Intellexa | C2 domain patterns, Chrome exploit artifacts, process injection |
| FinSpy | FinFisher (Germany) | File artifacts, configuration files, known binary hashes |
| DevilsTongue | Candiru (Israel) | Windows registry keys, staging directories, browser exploit remnants |
| Stalkerware | Various commercial | Known package names (mSpy, FlexiSPY, Cocospy, etc.), accessibility abuse |
The indicator database is updated regularly from public sources including Amnesty International MVT, Citizen Lab, and MITRE ATT&CK.
8. Operational Status
Security credibility requires transparency. Here are the boring, operational details that let you verify Threat Shield is maintained and current.
| IOC Database Last Updated | 2026-03-01 |
| IOC Sources | Amnesty MVT, Citizen Lab, MITRE ATT&CK, open threat intel feeds |
| Static Checks | 8 checks (debugger, file artifacts, processes, certs, injection, env tampering, proxy, stalkerware) |
| Behavioral Checks | 3 checks (C2 network connections, CPU anomaly, suspicious ports) |
| Last Code Review | March 2026 (internal audit) |
Platform Coverage
| Platform | Static (L1) | Behavioral (L2) |
|---|---|---|
| macOS (arm64, x64) | Full (8 checks) | Full (3 checks) |
| Windows (x64) | Full | Full |
| Linux (x64) | Partial | Full |
“Partial” on Linux: library injection detection varies by distribution and sandboxing model. Process enumeration and CPU/memory anomaly detection are fully supported.
False Positive Policy
Some indicators — debuggers, custom certificates, proxies like Charles, enterprise MDM agents — are legitimate in developer and corporate environments. Threat Shield handles this in three ways:
• Correlation requirement: Behavioral indicators (Layer 2) alone cannot escalate beyond SUSPICIOUS. A false-positive CPU spike or developer proxy will not lock you out.
• User override: At SUSPICIOUS level, users can acknowledge and dismiss. The warning does not block app usage. Only PROBABLE and CONFIRMED restrict functionality, and those require corroborating static evidence.
• Critical bypass: Only unambiguous indicators (Pegasus artifacts, Frida injection, library hijacking) can directly reach CONFIRMED. These have near-zero false positive rates.
9. Privacy Guarantees
Threat Shield was designed with the same privacy-first principles as the rest of RAILGUN:
ALL detection runs locally on your device. No scan data is sent to any server.
No telemetry, analytics, or crash reports from Threat Shield. Ever.
The app does not upload file hashes, process lists, or network logs.
Threat reports are stored only in local memory and cleared on app restart.
Source code for all detection logic is open source and auditable on GitHub.
Audit the Detection Code
Threat Shield is open source. Review the detection algorithms, indicator databases, and scoring logic yourself.