Nowadays, almost everyone carries their phones with them as the main source of communication and stores all their personal data there, which makes smartphones prime target for hacking. Most people use smartphones not only for communication but also for sharing information and storing important documents, photographs and other data. Therefore, private and large companies create their own hacking programs, such as the Pegasus software.
Pegasus is a hacking program, or spyware, which is developed, sold and licensed to governments around the world by the Israeli company NSO Group. It is capable of infecting billions of phones running iOS or Android operating systems [Kirchgaessner, 2021].
Pegasus is capable of bypassing smartphones’ security and install spyware that provides full access to a mobile device. The program can access every message sent or received by a smartphone. Not only can the software access every photo, video or email, but it can also turn on and off microphones and cameras on the device even when it is not used by anyone. It can also easily access the GPS and track the location of your device without you even knowing it [Amnesty.org, 2021].
Pegasus is probably the most advanced spyware ever developed as for now. It certainly can be referred as one of the most invasive forms of surveillance one can imagine. Obviously, mobile users hope that any personal data or any aspect of their life is kept secret on the device. Most people mistakenly think that messengers are protected from extraneous attacks and strangers, because you use, for example, WhatsApp, which is believed to have a secure encryption. In fact, it is pointless to feel safe about your data because Pegasus still can be on your phone and track all your actions. So far, the only Pegasus spyware detection tool is the Mobile Verification Toolkit from Amnesty International [Github.com, 2021]
This spyware uses various methods of hacking the device, for example, sending links and then opening the link on the victim’s device or using pre-prepared wireless networks and then connecting the device to this network. Pegasus can also infect both iOS and Android while remaining virtually invisible. Another method used by Pegasus to attacks smartphones is the so-called zero-day vulnerability. This is a vulnerability that the device manufacturer is not yet aware of, and does not require any action from the device user, such as fraudulently installing and granting permission. Yet another way used to attack devices consists in calling and sending text messages. Typically, these calls were made on Monday or Tuesday, and when attempting to answer, the call was canceled. However, even this call was enough for the malware to be installed on your phone. Similarly, the virus can be sent via text messages and when the user opens the message, the spyware is downloaded to the device [Dwoskin et.al., 2021].
Pegasus is the main product of the NSO Group, which is an Israeli surveillance company. Thus, custommers using this spyware might be government clients, including governments around the world or large corporations, organizations to which the NSO Group sold a copy of Pegasus [Timberg et.al., 2021].
The first ever Pegasus attacks were recorded back in 2014. The earliest known fully working version of Pegasus, which was discovered in 2016, infected phones using so-called spear phishing – text messages or emails that trick the target into clicking a malicious link. The zero-day attacks exploitations are recorded since May 2018 [Johnson, 2021].
In 2019, WhatsApp proved that Pegasus software used WhatsApp to send its malicious code to more than 1,400 phones, exploiting a zero-day vulnerability in the phone software. It was enough to make a WhatsApp call to the victim’s phone for Pegasus to be installed on a particular device phone. At the same time, it was not even necessary to answer this call, a missed call was enough to get access to information stored on the device. It is not even necessary to use this particular messenger for these purposes. Pegasus messenger hacks it and creates a backdoor that leaves a loophole in the code of a legal program that provides access to the device for unauthorized actions and secretly lets the attacker into the system, giving administrator rights [Pegg, 2021]. Pegasus also has a function of self-destruction, which is activated in order to delete all evidence of the presence of spyware on the device. The program completely cleanses all traces of its presence, leaving almost no chance of detection [Cloudsek.com, 2021].
As soon as manufacturers of phones and other mobile devices learned about the Pegasus software, Samsung and IPhone released an update to their devices. However, recent studies have shown that even the latest updates that came out in July 2021 failed to protect their users’ devices. For example, the latest version of the IPhone, which is famous for the best protection of its devices and has proprietary software, has already been hacked. The NSO Group and their product Pegasus have found alternative ways to bypass the new protections. By using applications such as Apple Photos or Apple Music Pegasus gets the so-called root rights, which enable it to get access to a targeted device. This is provides to Pegasus full control over the device allowing it to change system files and folders, which device users did not know they had them on their devices. The latest versions of the program do not even leave traces in the phone memory [Avery, 2021].
The creator of the Pegasus spyware NSO group claims that their program is created to enhance the anti-terrorist activities. They sold the licenses only to government intelligence agencies and law enforcement agencies for the sole purpose of preventing and investigating terrorist acts and serious crimes. They also put forward that if necessary they could control all the copies of the program and disable all of them [Williams, 2021].
As for the potential activities related to this spyware the company state that they around 100 phone numbers are entered to their system per year. However the number might be significantly higher because unknown amount of data were stolen from the company’s servers in Cyprus in June 2021. Moreover the list of users of the spyware is speculated to include people and entities that are not included in the above mentioned government agencies. Potential usage area includes countries from all around the world that includes Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkey, Uzbekistan and other countries. Thus it is not so clear who is using the program and whether they are using it for the legal purposes. Because it is being speculated that the potential targets which has been tracked with the Pegasus spyware includes many government officials, journalists, businessmen, politicians and activists [Rferl.org, 2021].
To sum up creation of spyware products like Pegasus brings the debate of security concerns vs human rights violations. Because under the current circumstances it looks like the usage of spyware is already going beyond its prospected purposes. Therefore in cases like these strict usage of such technologies needs to be guaranteed under the both domestic and international laws in order to prevent the commercialization motives and individual usage of these programs for self-gain attempts.
References:
Amnesty International (2021). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved from https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/. Accessed on 18.07.2021.
Avery, Dan (2021). Israeli spyware launched ‘zero-click’ attacks on iPhones: Pegasus gained control of devices without the owner having to do anything and turned phones into 24-hour surveillance devices. Retrieved from https://www.dailymail.co.uk/sciencetech/article-9802839/iPhones-belonging-journalists-hacked-proving-Apples-security-no-match-NSO-spyware.html. Accessed on 19.07.2021.
CloudSEK Threat Intelligence (2021). Everything You Need to Know about the Pegasus Spyware. Retrieved from https://cloudsek.com/everything-you-need-to-know-about-the-pegasus-spyware/. Accessed on 18.07.2021.
Dwoskin, Elizabeth and Rubin, Shira (2021). Somebody has to do the dirty work: NSO founders defend the spyware they built. Retrieved from https://www.washingtonpost.com /world/2021/07/21/shalev-hulio-nso-surveillance/. Accessed on 21.07.2021.
Github (2021). Mobile verification toolkit. Retrieved from https://github.com/mvt-project/mvt. Accessed on 16.07.2021.
Johnson, Derek (2021). The threat of Pegasus – style spyware could creep toward the business community. Retrieved from https://www.scmagazine.com/analysis/cyberespionage/the-threat-of-pegasus-style-spyware-could-creep-toward-the-business-community. Accessed on 21.07.2021.
Kirchgaessner, Stephanie; Lewis, Paul; Pegg, David, Cutler, Sam, Lakhani, Nina and Safi, Michael (2021). Revealed: Leak uncovers global abuse of cyber – surveillance weapon. Retrieved from https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus. Accessed on 18.07.2021.
Pegg, David and Cutler, Sam (2021). What is Pegasus spyware and how does it hack phones? Retrieved from https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones. Accessed on 21.07.2021.
Radio Free Europe/Radio Liberty (2021). Kazakh, Pakistani, French leaders on list of possible targets for Israeli spyware. Retrieved from https://www.rferl.org/a/france-probe-pegasus-spywear/31368284.html. Accessed on 20.07.2021.
Timberg, Craig; Birnbaum, Michael; Harwell, Drew and Sabbagh, Dan (2021). On the list: Ten prime ministers, three presidents and a king Retrieved from https://www.washingtonpost.com/world/2021/07/20/heads-of-state-pegasus-spyware/. Accessed on 20.07.2021.
Williams, Dan (2021). Israel appoints task force to assess NSO spyware allegations – sources. Retrieved from https://www.reuters.com/technology/israels-national-security-council-looking-into-nso-spyware-allegations-2021-07-21/. Accessed on 21.07.2021
Note: The views expressed in this blog are the author’s own and do not necessarily reflect the Institute’s editorial policy.