Military-grade spyware Pegasus, used to infiltrate the smartphones of at least 40 journalists in India, has been around since at least 2016 and is one of the most sophisticated hacking tools capable of extracting information from mobile devices.
Built by Israeli firm NSO Group, also known as Q Cyber Technologies, the spyware can be used to record calls, copy and send messages or even film people via phone cameras. The spyware can and has been used to target both Apple iOS and Android devices.
Early versions of using Pegasus required targets to click on malicious links sent to lure them, causing the software to be quietly installed on their smartphones and enabling the monitoring of their private data, including passwords, calls, texts and emails.
The spyware has the potential to turn smartphones into 24-hour surveillance devices. This is helped in part by the ability of the spyware to evade most forensic analysis, avoid detection by antivirus software and be deactivated or removed by its operators inconspicuously.
Once installed, experts say, Pegasus links devices to what are known as Command and Control Servers (C2s) that are computers or domains used to send and receive commands and data to those devices.
Pegasus is designed to use minimal bandwidth consumption, to evade suspicion, by sending regular, scheduled updates to C2s.
The C2s domains can therefore be used to confirm a Pegasus hack, by correlating the likely timeline of when a device may have been infected with the time stamps for different data on linked C2 servers.
For instance, one such forensic method used by Amnesty International is based on “temporal correlation” between the first appearance of data in logs and phones’ communication with known Pegasus installation servers.
2. Pegasus, once installed on our phones, is used to extract all communications (iMessage, WhatsApp, Gmail, Viber, Facebook, Skype) and locations. Remember that content on your phone itself is not secure.
— Nikhil Pahwa (@nixxin) July 18, 2021
Experts, including those from The Citizen Lab, an interdisciplinary laboratory based in the University of Toronto, point to concerns over current versions of Pegasus that are more advanced.
The spyware now uses what are known as “zero-click” exploits or attacks, that do not require potential victims to click on any secretive and exploitative links to activate it.
These “zero-click” attacks are used by exploiting “zero-day” vulnerabilities or bugs in the operating systems of devices that have not been fixed yet.
In December last year, researchers, including Bill Marczak from the lab, noted in a report that government operatives used this advanced version of the spyware to hack into 36 personal phones of journalists, producers, anchors, and executives at news network Al Jazeera.
They pointed out one such “zero-click” exploit on the iMessage app that was used against iOS 13.5.1 to hack Apple’s then-latest iPhone 11.
Marczac noted in a tweet on Sunday that the latest iPhones may be vulnerable to such zero-click attacks as well, adding that there could be a “MAJOR blinking red five-alarm-fire problem with iMessage security.”
(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
— Bill Marczak (@billmarczak) July 18, 2021
To identify Apple devices exploited by Pegasus, Amnesty International analysed records of process executions and their respective network usage in “DataUsage.sqlite” and “netusage.sqlite”, two database files stored in iOS devices.
While the former can be found on the iTunes app backup folder, the latter cannot, according to the organisation.
Amnesty International’s forensic analysis found the devices that communicated with Pegasus C2 domains contained records of a suspicious process linked to browser exploitation that “prepares for its infection with the full Pegasus suite”.
Amnesty has named 45 such suspicious processes in their draft report, with 28 of those being common with another draft report independently published by The Citizen Lab.
Hackers can even go to several lengths to socially engineer targets and subsequently install vulnerabilities in their devices.
In one such incident, the wife of a murdered Mexican journalist was sent alarming text messages about her husband’s murder to trick her into clicking on a link and infect her phone with Pegasus.
Another version of the spyware targeted 1,400 phones via a software vulnerability that was exploited through a missed voice call on WhatsApp.
The Facebook-owned social media company said it identified and fixed the bug soon after.
Experts warn that not all vectors and methods used to infect devices with the spyware are publicly known, fueling concerns of an increasing cyber arms race.
“We believe that remedying this problem will not be easy or simple. It will require a coalition of stakeholders, including governments, the private sector, and civil society to reign in what is now a ‘wild west’ of unmitigated abuse,” the report by The Citizen Lab noted.
Experts have warned that the NSO Group – who sells Pegasus only to governments – and other companies are equipping authoritarian governments with powerful tools holding politicians and administrators accountable.
“Not acting urgently on this critical public emergency threatens liberal democracy and human rights worldwide,” they noted.