Pegasus Spyware a primer

A powerful hacking tool called Pegasus, sold to governments around the world by the Israeli surveillance company NSO Group whose bread and butter is developing spyware, has been used to spy on journalists, business men, human rights activists, politicians etc. ‘Pegasus’ as name suggests, it is ‘flies’ through the air into the target’s phone. Pegasus can infect both iOS, and Android phones.

Diagram from purported NSO Group Pegasus documentation showing the range of information gathered from a device infected with Pegasus. Source: Hacking Team Emails. https://wikileaks.org/hackingteam/emails/emailid/5391

What makes Pegasus so sophisticated is it can infect devices through network injections or “zero-click” attacks, meaning the user does not have to interact with the spyware, for the software to get installed.

Pegasus takes advantage of zero-day vulnerabilities — newly discovered flaws in an OS or device that have yet to be fixed.

The over-the-air (OTA) option sends a ‘push message’ (i.e., messages to an already-installed apps) so that the target device loads the spyware covertly, without the user ever doing anything or knowing they’re being spied upon. The attacker only needs the telephone number of the target for a network injection, and the rest of the process is automatic.

Pegasus has exploits for:
• WhatsApp
• Skype
• Facebook
• Viber
• Kakao
• Twitter
• Gmail
• Android’s Native Browser or Chrome
• Android’s Native Email
• Calendar

Once it’s on the phone, Pegasus can give the attacker access to texts, phone conversations, contacts, and emails, use the GPS to track location, send private data such as passwords, calendar events, even access end-to-end encrypted messages, as well as access to the camera and microphone. The Pegasus Spyware infects the hardware of a phone if you get a new device, the spyware won’t transfer to the new device on its own.

Credit: Prashant Mali

What you can do to protect yourself:
• Keep your devices updated both OS and Security updates.
• Install security software.
• Avoid giving anyone physical access to your phone
• Avoid public and free Wi-Fi
• Encrypt your device, enable remote-wipe.
• Don’t fall for phishing.

Along with their report, Amnesty International also provides a toolkit for users to put in that alert them of the presence of Pegasus Spyware.

Known as the Mobile Verification Tool or the MVT[https://github.com/mvt-project/mvt], the toolkit scans the backup file of your device for any evidence of compromise. Although it works on both iPhones and Android phones, it’s more likely to be accurate for iPhones. The toolkit works on the command line, so it requires some skills to install and run.

References:

Lookout Security Intelligence
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf
Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/