Understanding the Pegasus project

David Strom 22 Jul 2021

Although the chances of being struck by Pegasus are low, there's still many reasons to practice safe computing on your phone

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth.

The researchers include three different groups:

  • The Forbidden Stories project, based in Paris. At this link, you can find the full list of the stories that have been published by more than a dozen media partners around the world, including English coverage by the Guardian, the Washington Post, and NPR’s Frontline documentary team. (You can use translation services for coverage published in other languages.)

  • Amnesty International’s Berlin-based Security Lab, who help support individuals who have been targeted from cyberattacks with their custom-made tools and training to identify compromised equipment. Their full forensic report on Pegasus can be found here. The lab also developed a detection tool that can verify if Pegasus has been run on your own phone. This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analyzing a backup taken from the device.

  • This December 2020 report from The Citizen Lab is another useful resource. This is a Toronto-based research group that has deep knowledge of international spyware tactics and techniques and has published numerous reports over the years. At the time of publishing, the researchers had found 36 iPhones and attributed the attacks to groups in Saudi Arabia and the UAE. This report is also a good place to learn more about the political background of this region and the role played by NSO’s Pegasus spyware.

What is Pegasus and how does it work?

Jakub Vavra, a Mobile Threat Analyst at Avast, has taken a closer look at Pegasus. “Pegasus is a remote access tool (RAT) with spyware capabilities. Its Android variants are capable of extracting data from popular messengers such as WhatsApp, Facebook and Viber as well as email clients and browsers. The spyware is capable of remote surveillance through the phone’s microphone and camera as well as taking screenshots and keylogging the user's inputs. Since 2016, we have tracked and blocked several attempts by Pegasus spyware to breach Android phones, most of them in 2019.”

“Avast blocks Pegasus like any other spyware. Pegasus is used only on a few individuals, apparently, for surveillance purposes. The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high. Pegasus can monitor a variety of popular messengers and email providers such as Facebook, WhatsApp, Gmail, Telegram and others.”

Pegasus gains access to your phone through a variety of mechanisms, including a zero-day vulnerability in Apple’s iMessage app. A victim receives a message with a malicious link, which leads to a page that exploits a vulnerability in the device’s built-in browser. Here’s a graphic of how it works:

Image credit: Prashant Mali on Twitter

It’s unlikely that the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active. What’s interesting about the Pegasus reporting is that many of the targets show a tight correlation between timestamps associated with when their mobile numbers were listed and when Pegasus entered their phones in some cases, these were as brief as a few seconds. To me, this is the smoking gun behind all the work done on the project. Someone was interested in these parties, someone who was a client of NSO and who could target their tool to these individuals.

Who were the targets?

According to the Guardian, Pegasus targeted the mobile phone numbers of the French president, Emmanuel Macron, the South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, along with 11 other heads of state and a number of Mexican targets. This does not mean that particular mobile numbers were selected for actual surveillance using Pegasus, but it is somewhat disturbing. Forensic examinations of a sample of 67 phones found 34 iPhones and three Android phones had contained traces of Pegasus infection or attempted infection. Out of this population, 23 Apple devices were successfully hacked, one of which was running the most current version of iOS. 

As I mentioned earlier, politicians weren’t the only targets. Journalists in different countries were targeted, including relatives and associates of Jamal Khashoggi. 

How was Pegasus detected?

While the NSO Group was good at covering its tracks, it wasn’t perfect. As the Guardian’s research found, “On Android devices, the relative openness of the platform seems to have allowed the company to successfully erase all its traces, meaning that we have very little idea which of the Android users who were targeted by Pegasus were successfully affected. There is a file, DataUsage.sqlite, that records what software has run on an iPhone. It’s not accessible to the user of the device, but if you back up the iPhone to a computer and search through the backup, you can find the file. The records of Pegasus had been removed from that file, of course – but only once. What the NSO Group didn’t know, or perhaps didn’t spot, is that every time some software is run, it is listed twice in that file. And so by comparing the two lists and looking for inconsistencies, Amnesty’s researchers were able to spot when the infection landed.”

What can you do to protect your phone?

Again, I want to emphasize that the chances of being struck by Pegasus are less than you being hit by lightning. But you should still practice safe computing on your phone, including doing the following:

  • Only open links from known and trusted contacts and sources when using your device. This is especially relevant if you receive links as text messages.
  • Make sure your device is updated with any relevant patches and upgrades.
  • Limit physical access to your phone by enabling a PIN code as well as finger or face-locking on your device. 
  • Use a VPN and a mobile anti-malware tool, such as Avast SecureLine VPN (available for Android and iOS).

Further reading

You can find links to all of the Guardian’s posts here, and the Washington Post series can be found here. Frontline will have a full documentary later this year. All of the media partners continue to report on different aspects of Pegasus, so it’s worth going back to check on their websites regularly.

--> -->