From the iPhone to Android devices and with a click to no clicks at all, the spyware Pegasus is reported to have figured out how to infiltrate any phone anywhere, and anyhow. Once it does that, anything that is done using the target phone is visible to those controlling the spyware, who can also virtually take control of the device and activate its various features to aid surveillance. As details emerge of people who were targeted with the spyware, here’s what you need to know about Pegasus and how it works.
What Is Pegasus?
According to The Washington Post, which was part of the 17-member group of news organisations that worked on the ‘Pegasus Project’, which was coordinated by Paris-based nonprofit Forbidden Stories and also included human rights group Amnesty International, Pegasus is the flagship spyware of the Israel-based NSO Group, which describes itself as “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies”.
It is reported that the company has “60 government customers in 40 countries” and offices in Bulgaria and Cyprus while it is “majority-owned by Novalpina Capital, a London-based private-equity firm”.
How It Works?
While the Pegasus Project has come up with a list of 50,000 devices that were infiltrated by the spyware across the world, including about 300 Indians, knowledge of its existence goes back to at least five years back. The earliest version of Pegasus had come to light in 2016 and it employed a tactic known as ‘spear phishing’ to get into phones. That techniques involved the user of the spyware sending a text message or email to the target device. Once the recipient clicked a link contained in the email or the message, the spyware, or malware, would download on the device and get about trasmitting information to the attacker.
However, Pegasus in 2021 is a far more evolved avatar of its 2016 version and can now execute what is known as a ‘zero-click’ attack, which means that it can infiltrate a phone with practically no action from the target. Thus, WhatsApp had revealed in 2019 that the Pegasus spyware could find a gateway into a device through the simple method of a WhatsApp call placed to it, even if the user of the device did not answer the call. For this, the makers of the spyware had used what is known as a ‘zero-day’ vulnerability to get break into the device. A ‘zero-day’ vulnerability is any flaw or loophole in an operating system that its maker is not aware of and, hence, has not fixed.
The Guardian, another publication that was part of the Pegasus Project, says that “more recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones”. While WhatsApp has sued NSO in the US for hacking into the service, The Guardian reports that Apple “says it is continually updating its software to prevent such attacks”.
The Guardian also adds that apart from spear-phishing and zero-day attacks, Pegasus “can also be installed over a wireless transceiver located near a target”. And, then there is the good old strategy — as advertised in an NSO brochure — of installing the spyware manually in a phone if the attacker can get hold of it.
What It Can Do?
Once it gets into a phone, there is little that cannot be done using Pegasus. The attacker can see SMSes, emails, photos and videos and access contact lists call records. It can also track the GPS to show where the target has been moving. But that it not all. Reports say that Pegasus can also be used to activate the microphone and the camera, thus turning the device into an active surveillance tool.
The Guardian quotes Claudio Guarnieri, who heads Amnesty International’s Berlin-based Security Lab, as saying that “(w)hen an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device”. Which means that, in effect, “Pegasus can do more than what the owner of the device can do”.
What Are The Software It Targets?
The makers of spyware or malware typically target those software or programs that either come pre-installed on devices, or are widely used because, as The Guardian says, “it dramatically increases the number” of devices that can be attacked, instead of devising piece-meal infiltration techniques.
What the creators of spyware are looking for is weaknesses and vulnerabilities in a software that they can exploit without attracting any attention. The Guardian adds that Guarnieri and his team have found “peculiar network traffic relating to Apple’s Photos and Music apps can be seen at the times of the infections, suggesting NSO may have begun leveraging new vulnerabilities”.
But Aren’t WhatsApp Chats Encrypted?
They are, but they are not designed to blunt the action of spyware like Pegasus. What WhatsApp has is end-to-end encryption, which means that after the message is typed out and sent and before it is read on the receiver’s phone, it is scrambled in a way that anybody who intercepts the data would not be able to read it. As The Post says, such encryption is useful against “man-in-the-middle” attacks, but not “against ‘endpoint’ attacks, which target either end of the communication”.
The Pegasus spyware can read the WhatsApp message because it can access the tech on the target’s device that unscrambles the encryption and makes it readable for the target.
How Can Pegasus Be Detected?
Such as it is, experts say that Pegasus is practically impossible to detect. Which is understandable for any spyware because they have to be able to dodge the sometimes advanced protections that modern electronic devices come with and leave no trace of infiltration. The Guardian says experts think that “more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes”.
It quoted Guarnieri as saying that when people ask him what they can do to beat Pegasus, he tells them that “the real honest answer is nothing”.