Technical analysis: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...
CitizenLab analysis of the nation-state side of things: https://citizenlab.org/2016/08/million-dollar-dissident-ipho...
Apple update: https://support.apple.com/en-us/HT207107
If Apple, Google, MS, Linux distribution does the following:
* Create sha1, sha256, sha256 chksums of every system, app files and store them in a secure database somewhere.
* Check and audit the system files from time to time and notify the user when change happen.
Would it prevent these type attack or at lease notify the user that system security has be compromised?
You need to run 'tripwire --update' every time you run 'apt-get update' or 'pip install foo' or 'npm install bah' or whatever - then you wont get that storm of false positives.
I've been in the previous boat: of having it running on a system I've inherited, and given up because it seemed too much hassle.
Those three timely notifications of real breaches have made 20+ years worth of occasional false positives 100% worth it.
Realistically, this is also something virtualization can help guard against. If your OS is initialized from a known good version external to the VM, every time the VM starts, you greatly increase the difficulty for an attacker to get persistant root.
Also, putting code signing in the processor wouldn't fix the problem: code signing already happens in higher levels (ie higher than userland), so moving the verification a level up would likely take the exploitable bugs with it. The problem remains.