Although the chances of being struck by Pegasus are low, there's still many reasons to practice safe computing on your phone
Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth.
The researchers include three different groups:
Jakub Vavra, a Mobile Threat Analyst at Avast, has taken a closer look at Pegasus. “Pegasus is a remote access tool (RAT) with spyware capabilities. Its Android variants are capable of extracting data from popular messengers such as WhatsApp, Facebook and Viber as well as email clients and browsers. The spyware is capable of remote surveillance through the phone’s microphone and camera as well as taking screenshots and keylogging the user's inputs. Since 2016, we have tracked and blocked several attempts by Pegasus spyware to breach Android phones, most of them in 2019.”
“Avast blocks Pegasus like any other spyware. Pegasus is used only on a few individuals, apparently, for surveillance purposes. The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high. Pegasus can monitor a variety of popular messengers and email providers such as Facebook, WhatsApp, Gmail, Telegram and others.”
Pegasus gains access to your phone through a variety of mechanisms, including a zero-day vulnerability in Apple’s iMessage app. A victim receives a message with a malicious link, which leads to a page that exploits a vulnerability in the device’s built-in browser. Here’s a graphic of how it works:
Image credit: Prashant Mali on Twitter
It’s unlikely that the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active. What’s interesting about the Pegasus reporting is that many of the targets show a tight correlation between timestamps associated with when their mobile numbers were listed and when Pegasus entered their phones — in some cases, these were as brief as a few seconds. To me, this is the smoking gun behind all the work done on the project. Someone was interested in these parties, someone who was a client of NSO and who could target their tool to these individuals.
According to the Guardian, Pegasus targeted the mobile phone numbers of the French president, Emmanuel Macron, the South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, along with 11 other heads of state and a number of Mexican targets. This does not mean that particular mobile numbers were selected for actual surveillance using Pegasus, but it is somewhat disturbing. Forensic examinations of a sample of 67 phones found 34 iPhones and three Android phones had contained traces of Pegasus infection or attempted infection. Out of this population, 23 Apple devices were successfully hacked, one of which was running the most current version of iOS.
As I mentioned earlier, politicians weren’t the only targets. Journalists in different countries were targeted, including relatives and associates of Jamal Khashoggi.
While the NSO Group was good at covering its tracks, it wasn’t perfect. As the Guardian’s research found, “On Android devices, the relative openness of the platform seems to have allowed the company to successfully erase all its traces, meaning that we have very little idea which of the Android users who were targeted by Pegasus were successfully affected. There is a file, DataUsage.sqlite, that records what software has run on an iPhone. It’s not accessible to the user of the device, but if you back up the iPhone to a computer and search through the backup, you can find the file. The records of Pegasus had been removed from that file, of course – but only once. What the NSO Group didn’t know, or perhaps didn’t spot, is that every time some software is run, it is listed twice in that file. And so by comparing the two lists and looking for inconsistencies, Amnesty’s researchers were able to spot when the infection landed.”
Again, I want to emphasize that the chances of being struck by Pegasus are less than you being hit by lightning. But you should still practice safe computing on your phone, including doing the following:
You can find links to all of the Guardian’s posts here, and the Washington Post series can be found here. Frontline will have a full documentary later this year. All of the media partners continue to report on different aspects of Pegasus, so it’s worth going back to check on their websites regularly.
The promise of a free movie download led thousands of people into unintended malware.
Avast recently discovered a series of malicious browser extensions on the Chrome Web Store that are spreading adware and hijacked search results.