For the last two months now, most of us have heard about an Israeli company called the NSO Group and a piece of spyware called Pegasus. The reports from The Washington Post, The Guardian, Le Monde and many other news outlets are based on a leak of thousands of phone numbers of several prominent individuals, including journalists, human rights activists, politicians, government officials and CEOs, who have been targeted by Pegasus. The malware is being described as responsible for the most sophisticated smartphone attack to date.
What is Pegasus, and how it gets onto a smartphone
Developed by the NSO Group, a private contractor, Pegasus is spyware that infects a target’s phone and sends back data, including messages, photos, as well as audio and video recordings. It essentially infiltrates smartphones, especially iOS and Android phones, and turns them into surveillance devices.
The Israeli company, however, markets it as a tool to track criminals and terrorists, and claims to sell it to governments only. According to the NSO Group, Pegasus provides “governments with a way to address the new communications interception challenges in today’s highly dynamic cyber battlefield. By capturing new types of information from mobile devices, Pegasus bridges a substantial technology gap to deliver the most accurate and complete intelligence for your security operations.”
Pegasus first attracted scrutiny in 2016, when it was used to infect smartphones through a technique called spearfishing, where emails or text messages containing a malicious link were sent to the target. The hack depended on the user clicking the link.
By 2019, the spyware could invade a device with just a missed call on WhatsApp and could even delete the record of this missed call, making it impossible for the phone’s owner to know they had been targeted.
The latest version of Pegasus does not even require the smartphone user to do anything — it works using the concept of “zero-click exploit.” All that is required for a successful attack and installation is having a particular vulnerable app or operating system installed on the device.
In order to gain entry, the spyware identifies zero-day vulnerabilities, which means flaws in the operating systems that have not been identified yet and, hence, have not been patched. Pegasus relies on flaws in the software and hardware system to gain access to a device, instead of exploiting human error.
Once installed, the spyware can access even password-protected devices; extract contacts, messages, emails, photos, files, locations, passwords, processes list and more; and transmit it back to the attacker. It can also activate the camera, microphone, GPS and other elements to collect real-time data.
Are there tools that can detect it?
Researchers at Amnesty International have developed a toolkit — the Mobile Verification Toolkit, or MVT — that they say can help users identify if their smartphones have been targeted by Pegasus.
The MVT works on both iPhones and Android devices. It can run under either Linux or macOS and can inspect the files and configuration of a smartphone by analyzing a backup taken from the phone. While the analysis can neither confirm nor refute whether a device has been compromised, it is capable of detecting indicators of compromise, which can provide evidence of infection.
A new antivirus called iVerify by Trail of Bits can tell users if their mobile device has been infected with Pegasus. Ryan Storz, lead developer of iVerify, recently tweeted, “Just released iVerify 20.0, which now tells you if it detects traces of Pegasus.”
The iVerify app looks for well-known signs of compromise, including jailbreaks, and provides users with real-time information about traces of Pegasus on their phones. The antivirus is available for Android users via Google Play and has also been approved by Apple.
Then there is the Telegram bot, which was developed by anonymous developers. The bot can check for any malicious links that are associated with the Pegasus spyware and alert users accordingly. While the bot does not rule out the presence of spyware, it can scan for any potential attack.
