What is Pegasus spyware and how does it infiltrate mobile devices?
NSO Group software is capable of secretly recording your calls, copying your messages, and filming you.
It is the moniker given to what is arguably the most powerful piece of spyware ever created – at least by a private company. Once it has wormed its way onto your phone, it can transform it into a 24-hour surveillance device without your knowledge. It is capable of copying messages sent or received, harvesting your photos, and recording your phone calls. It may secretly record you via the camera on your phone or activate the microphone to record your conversations. It may be used to determine your location, where you've been, and who you've met.
Pegasus is the hacking software – or spyware – that the Israeli company NSO Group develops, markets, and licenses to governments worldwide. It is capable of infecting billions of mobile devices running the iOS or Android operating systems.
Pegasus's first version, discovered in 2016, infected phones via spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
However, NSO's attack capabilities have advanced since then. Pegasus infections are possible via so-called "zero-click" attacks, which do not require any interaction from the phone's owner. These frequently exploit "zero-day" vulnerabilities, which are flaws or bugs in an operating system that the manufacturer of the mobile phone is unaware of and thus unable to patch.
WhatsApp disclosed in 2019 that NSO's software had been used to send malware to over 1,400 phones via a zero-day vulnerability. Simply by initiating a WhatsApp call to a target device, malicious Pegasus code can be installed on the device, even if the target does not answer. NSO has recently begun exploiting flaws in Apple's iMessage software, granting it backdoor access to hundreds of millions of iPhones. Apple maintains that its software is constantly updated to ward off such attacks.
Claudio Guarnieri, who runs Amnesty International's Berlin-based Security Lab, conducted research to improve our technical understanding of Pegasus and how to locate the evidential breadcrumbs it leaves on a phone following a successful infection.
“Things are becoming significantly more complicated for targets to detect,” Guarnieri explained, noting that NSO clients had largely abandoned suspicious SMS messages in favor of more subtle zero-click attacks.
For companies such as NSO, exploiting software that is either pre-installed on devices, such as iMessage, or is extremely popular, such as WhatsApp, is particularly appealing, as it significantly increases the number of mobile phones Pegasus can successfully attack.
Amnesty's lab discovered traces of successful Pegasus attacks on iPhones running current versions of Apple's iOS as a technical partner of the Pegasus project, an international consortium of media organizations including the Guardian. The assassinations occurred as recently as July 2021.
Forensic analysis of victims' phones also revealed evidence that NSO's constant search for vulnerabilities may have expanded to other popular apps. In several of the cases examined by Guarnieri and his team, unusual network traffic associated with Apple's Photos and Music apps can be seen during the infection period, implying that NSO has begun exploiting new vulnerabilities.
Where neither spear-phishing nor zero-click attacks succeed, Pegasus can be installed via a nearby wireless transceiver or, according to an NSO brochure, manually if an agent can steal the target's phone.
Pegasus, once installed on a phone, is capable of harvesting virtually any information or extracting any file. SMS messages, address books, call logs, calendars, emails, and web browsing histories can all be accessed.
“When an iPhone is compromised, the attacker obtains so-called root privileges, or administrative privileges, on the device,” Guarnieri explained. “Pegasus is capable of exceeding the capabilities of the device's owner.”
NSO's attorneys contended that Amnesty International's technical report was speculative, referring to it as "a compilation of speculative and baseless assumptions." They did not, however, dispute any of the study's specific findings or conclusions.
NSO has expended considerable effort to make its software difficult to detect, and Pegasus infections have become extremely difficult to identify. Security researchers suspect that more recent versions of Pegasus reside exclusively in the phone's temporary memory, rather than on the hard drive, which means that once the phone is powered down, virtually all traces of the software vanish.
One of the most serious difficulties that Pegasus poses for journalists and human rights defenders is that the software exploits previously unknown vulnerabilities, which means that even the most security-conscious mobile phone user cannot prevent an attack.
“This is a question that I am asked almost every time we perform forensics on someone: 'How can I prevent this from happening again?'" Guarnieri explained. “The genuine, truthful response is nothing.”