Spyware Pegasus by NSO Group It makes headlines again after it was reportedly used by various governments around the world to spy on the smartphones of activists, politicians, journalists and others.
They are spying on us
A list of possible surveillance targets, including more than 50,000 phone numbers, was leaked and obtained by various media outlets over the weekend, rekindling concerns about surveillance by world governments.
So what exactly is Pegasus? And who could be a potential target of an attack? How can you tell if your iPhone has already been a victim of spyware? We collect everything you need to know about this spyware.
What is Pegasus?
Pegasus is a sophisticated spyware developed by the Israeli company NSO Group, also known as Q Cyber Technologies. It was first discovered on iOS in 2016 when Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about the prisons in the UAE.
However, cybersecurity firm Lookout, the first to investigate spyware, believes that Pegasus It has been around for much longer. “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code “the Lookout report said at the time.
A kernel mapping table discovered in spyware included values dating back to iOS 7, which Apple released in late 2013. And several reports, including one of The New York Times, claim that leaked emails confirm that the UAE have been using Pegasus since 2013.
Apple, of course, has rolled out iOS updates that fix vulnerabilities exploited by various versions of Pegasus since then. However, it appears that NSO Group continues to find new routes to Apple firmware. And it does so, he says, to help governments investigate crime and fight terrorism.
But that’s not strictly the way this software has been used so far. In its 2016 report, Lookout called Pegasus the “Most sophisticated attack we’ve seen at any endpoint”. Lookout also said that spyware was being used to “Attacking high-value targets for multiple purposes, including high-level corporate espionage.”
How is Pegasus distributed?
What makes this program particularly special, and unlike most spyware that we normally see on iPhones and other smartphones, is that it uses a “zero click” attack. That means it doesn’t require the smartphone user to install a malicious app or click on a malicious link. It doesn’t actually require any user intervention.
Instead, Pegasus can be injected through the smartphone network, either through the use of a mobile phone tower or with access to a real network infrastructure. NSO Group demonstrated this in November 2019 when it showcased a portable base transceiver station (a rogue cell tower) at the Milipol trade show in Paris.
Placed in the back of a van, the BTS posed as a legitimate cell tower, forcing phones within a certain radius to automatically connect. Once the connection was made, cell tower traffic could be intercepted and manipulated, allowing Pegasus to inject itself into those devices.
IPhones have also been a victim through iMessage and Apple’s push notification service protocol. Spyware can disguise itself as another app, one you’ve already installed, and then be transmitted as a notification through Apple’s servers.
Therefore, it is incredibly difficult to avoid being infected by Pegasus spyware. There is little you can do, other than prevent your device from connecting to cell phone towers, to avoid potential interception. And once the software reaches your device, it can cause serious problems.
What can Pegasus do?
This malicious software can send all kinds of confidential data to an attacker’s servers. This includes contacts, text messages, calendar events, and passwords. It can even intercept live voice calls, including those protected by end-to-end encryption, allowing an attacker to hear everything you say.
Pegasus also allows an attacker to take control of a smartphone’s camera and microphone. Plus, you can use a smartphone’s GPS to track a target, all without the knowledge of the owner. It is designed to evade detection by an antivirus, and the attacker can remove Pegasus remotely if necessary.
Who is at risk?
As explained in the Lookout report, the attacks appear to be primarily aimed at “High value targets” as activists, CEOs, journalists, lawyers and politicians. The attacks are said to be distributed by governments that pay for spyware, and not by the NSO Group itself.
As of the end of 2019, it was reported that at least 121 people in India, including more than 40 journalists, had been hit by a Pegasus attack. Indian Technology Minister Ravi Shankar Prasad said that approximately 1,400 people around the world had been targeted at the same time.
Although it is possible for the average user to be the victim of an attack, it is considered highly unlikely.
On the subject, Apple’s head of security, Ivan Krstić, told The Washington Post this week that attacks like these “they are not a threat to the vast majority of our users ”.
How can you protect yourself from Pegasus
Despite being incredibly sophisticated, and in most cases only requiring a phone number to access a target’s device, the software is not 100% effective. In certain scenarios it fails. That means you can take steps to help avoid falling prey to a spy attack.
The simplest step you can take is to make sure you keep your iPhone up to date. Apple is constantly working to patch any vulnerabilities used by Pegasus and other threats. That means that a simple software update could be enough to prevent an attack. Another thing you can do is avoid using Apple’s Safari browser on the iPhone.
According to a Pegasus brochure from NSO Group, “Installation from browsers other than the device’s default (and also Chrome for Android-based devices) is not supported by the system”. When Pegasus is faced with a third-party browser, the installation is interrupted and a harmless web page is displayed.
How to know if your iPhone is infected
Detecting a Pegasus infection used to be nearly impossible. Most of the victims never knew they were a target, or that their device was infected. But now you can use a tool, developed by Amnesty International researchers, that can detect traces of a possible infection.
Mobile Verification Toolkit (MVT) works on iPhone and Android devices, but it requires a Mac or Linux computer to run. It supports a number of commands that allow you to decrypt an iTunes backup and extract artifacts. You can then compare them for signs of an attack.