In the past couple of months, a large number of news stories have emerged about an Israeli technology firm called NSO Group and their flagship product – Pegasus.
Some of these stories have shocked the masses with reports of people close to Saudi journalist Jamal Khashoggi being targeted with Pegasus software before and after his murder.
This also includes allegations that fully updated smartphones can be hacked with a single text message which according to Amnesty International’s press release “when surreptitiously installed on victims’ phones, allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls, and contacts.”
What is Pegasus?
Pegasus is a hacking software or spyware developed by an Israeli company called NSO Group. Claims state that the software can’t be traced back to the government using it, which is a crucial feature for clandestine operations.
The program infects a target’s phone and goes unnoticed while doing so. Once inside, it can copy and send back data, including photos, messages, and audio/video recordings. The spyware might furthermore record your calls, or activate the microphone or camera on your device to capture live recordings of the target.
Pegasus can even potentially pinpoint your location, where you’ve been, and who you’ve met – turning your phone into a 24-hour surveillance device. The software is marketed and licensed to governments all around the world and has the capability to infect billions of phones running on both iOS or Android operating systems.
NSO Group makes products that aid public surveillance, describing the role of its products on their website as those that are helping “government intelligence and law-enforcement agencies use technology to meet the challenges of encryption” during terrorism and criminal investigations.
According to The Verge, the company told The Washington Post that they work only with government agencies. They said that they will not hesitate to cut off an agency’s access to Pegasus if evidence of abuse is found.
In their transparency report released at the end of June, the NSO Group claimed they have done this before, however, a statement by Amnesty International raised concerns that the company is providing the spyware to oppressive governments, wherein government agencies cannot be trusted to do right by their citizens or treat them fairly.
Image via Unsplash
How does Pegasus infect A target’s Phone?
It is not complicated how the spyware infects the phones of its victims as the earliest version of Pegasus discovered attacked phones through what is called ‘spear-phishing’. This version was captured by researchers in 2016, deducing that malicious links were dispersed via text messages and emails, with the intent of enciticng targets to click on further, allowing their device to be compromised.
Since then, there has been an advancement in NSO’s attacks as they can be achieved through so-called “zero-click” attacks, that do not require any interaction from the owner of the phone to succeed. These attacks are carried out by often exploiting “zero-day” vulnerabilities.
Zero-day vulnerabilities are flaws or bugs in an operating system that the manufacturer of the mobile phone does not yet know about and therefore has not been able to fix. In 2019, WhatsApp revealed that Pegasus used this technique to send malware to more than 1,400 phones merely by placing a WhatsApp call to a target device. The software’s malicious code could be installed on the phone, even if the target never answered the call.
You May Also Like: Hong Kong: One Year After China Passed The National Security Law
What about Apple’s Security?
Recently NSO has begun exploiting vulnerabilities (as mentioned earlier) in Apple’s iMessage software too. This gives the spyware backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.
Technical Understanding of Pegasus
Due to the research conducted by Claudio Guarnieri, there has been an improvement in the technical understanding of Pegasus, and how to find the tiniest bit of evidence it leaves on a phone after a successful infection.
“Things are becoming a lot more complicated for the targets to notice,” said Guarnieri, who runs Amnesty International’s Berlin-based Security Lab. Claudio explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks.
Software installed on devices by default or the ones that are widely used is especially attractive to companies like NSO. These include software such as WhatsApp or iMessage as they would skyrocket the number of mobile phones Pegasus can successfully attack.
Amnesty’s lab has discovered traces of successful attacks by Pegasus customers on iPhones running up-to-date versions of Apple’s iOS that were carried out as recently as July 2021.
In some cases analyzed by Guarnieri and his team, peculiar network traffic can be seen at the times of the infections. This suggests the company may have begun leveraging new vulnerabilities as the network traffic is related to Apple’s Photos and Music apps.
Pegasus is not only dependent on spear-phishing nor zero-click vulnerabilities to succeed but it can also be installed over a wireless transceiver located near a target. As mentioned in The Guardian, according to an NSO brochure, the software can be simply manually installed if an agent can steal the target’s phone.
What can Pegasus do?
Once Pegasus infiltrates a phone, it can harvest any information or extract any file that includes SMS messages, address books, call history, calendars, emails, and internet browsing histories. “Pegasus can do more than what the owner of the device can do,” said Guarnieri.
A woman checks the website of Israel-made Pegasus spyware at an office in the Cypriot capital Nicosia on July 21, 2021 [Mario Goldman/AFP]
Who does Pegasus monitor?
The spyware presents a challenge to journalists working on sensitive stories, human rights defenders, a world leader, or someone in a position that could threaten governmental powers, etc. as the software exploits undiscovered vulnerabilities, meaning even the most security-conscious mobile phone user cannot prevent an attack.
It is a matter of great concern considering the fact that these types of attacks are possible and that they may fall into the wrong hands looking to target a much broader range of people.
How can you check if your phone is compromised and what can you do to prevent it?
“This is a question that gets asked to me pretty much every time we do forensics with somebody: ‘What can I do to stop this happening again?’” said Guarnieri. “The real honest answer is nothing.”
An easy way to determine whether your device has been compromised is to use a tool released by Amnesty International that can neither confirm nor disprove that a device has been compromised but detects “indicators of compromise” which can provide evidence of infection. It examines the files and configuration of your mobile device by analyzing a backup taken from the phone.
Although most people are unlikely to be targeted by the attack of Pegasus, you can still take simple steps to minimize your potential exposure by only opening links from known and trusted contacts and sources when using your device and ensuring that your mobile phone is updated with any relevant patches and upgrades. These steps will not only help prevent your devices from Pegasus but from other malicious attacks too.