Malware misinformation
Documenting misinformation in the infosecurity space, focusing particularly on malware analysis and forensics.
Created by @maldr0id
Claim ID: 00005
The following claim is often repeated in spyware misinformation campaigns:
automated detection tools are useless, because they can be fooled
The claim is considered: 
FALSE
Why is it false?
It is obvious that an automated detection tool can be reverse engineered and forced to produce result that the reverse engineers wants. This is a straightforward result of the reverse engineering process. However, the tools used to provide automatic detection should not be used to definitevly confirm the infection. For example Mobile Verification Toolkit (MVT) contains a following note1:
Public indicators of compromise are insufficient to determine that a device is “clean”, and not targeted with a particular spyware tool. Reliance on public indicators alone can miss recent forensic traces and give a false sense of security.
Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
Such support is available to civil society through Amnesty International’s Security Lab or through our forensic partnership with Access Now’s Digital Security Helpline.
This adequately explains the purpose of automated detection tools. They are meant to provide the first screening of a device, not the final verdict. As such they should cast a wide net and depend on later confirmation of the verdict done by a forensic investigator.
Statement sources
The websites below repeat the claim. This is not a full list of websites.
- José Javier Olivas Osuna, The Pegasus spyware scandal: A critical review of Citizen Lab’s “CatalanGate” report - link
- Jonathan Scott, NSO THROUGH THE VEIL - link
Campaigns
The misinfomartion campaigns below have used this claim.
- Pegasus misinformation campaign.