Pegasus spyware: All you need to know

Last Updated 02 November 2019, 06:51 IST

WhatsApp has released a shocking statement admitting that a cyberattack exploited their software's vulnerabilities and infected about 1,400 devices across 20 countries spanning four continents. The attack targeted activists, lawyers and journalists, of which 20 were Indians. The attack was allegedly carried out using the Israel-based NSO Group's spyware, Pegasus, which allowed the surveillance to be conducted on individuals via their smartphones. Those responsible for the surveillance are still unknown, but the NSO Group has denied the allegations, insisting that their customers are licensed government intelligence and law enforcement agencies who get assistance in fighting terrorism and other crimes.

Among the Indians targeted was Nihal Singh Rathod, a human rights lawyer who represents the accused in the Bhima Koregaon case. Rathod was contacted on Oct. 14 by the Citizen Lab of the University of Toronto and was informed that his phone, among others, had been compromised by the spyware known as Pegasus.

Initial outbreak

Pegasus made headlines in 2016 when it was revealed that it unsuccessfully attempted an attack on the device of UAE human rights activist Ahmed Mansoor. He received text messages on his iPhone promising 'new secrets' about tortured prisoners in the country if he opened a link in the SMS. Instead of following the instructions, Mansoor sent the messages to researchers at Citizen Lab, who traced the origin of the links back to infrastructure belonging to the NSO Group. Further testing revealed that the link gave access to the Pegasus spyware that could target and exploit vulnerabilities in an iPhone and infect it, giving near unlimited access to data on the device.

Citizen Lab then collaborated with cybersecurity firm Lookout Security, to investigate the spyware's current reach. The final report revealed 45 countries with possible Pegasus infections, with 33 operators handling surveillance of the affected targets. One such operator, dubbed 'Ganges', was responsible for surveillance in India, Bangladesh, Brazil, Hong Kong, and Pakistan. Eight telecom operators in India, included Bharti Airtel Ltd and Hathway Cable & Datacom Ltd, were believed to have been targeted by Pegasus. The domain name used by Ganges was noted by Citizen Lab as they could indicate possible political motivations behind the surveillance.

Carriers and vulnerabilities

Hacking Team, an Italian firm that offers governments and other clients targeted malware, relies on malicious apps, user installations or physical access to the device itself for successful operations. However, NSO's Pegasus can remotely compromise the device with little to no user interaction with the spyware trigger, mostly via zero-day vulnerabilities. Zero-day vulnerabilities are flaws in a software's code that have not been brought to the notice of its developers, thereby leaving it vulnerable to exploitation by hackers. The NSO Group documentation on the Pegasus spyware reveals two vectors (carriers) that Pegasus uses to install itself onto a device. The first is a one-click vector.

The one-click vector is what was used in Mansoor's case, and involves a well-known technique called phishing. Phishing occurs when the attacker, disguised as a seemingly trustworthy source, sends the target device an email, text message or SMS containing a link, which if opened, can lead to the attacker gaining limited access to the device. The link sent by the Pegasus vector opens a malicious website called an Anonymizer, which communicates with the operator's server. The server examines the target device to determine if Pegasus has the code to exploit that particular model, and attempts the installation via the Anonymizer. If it fails, the web page that was opened will be redirected to an actual, legitimate site to avoid raising suspicions. The attack occurs in the background, with nothing to alert the user or device administrators of the infection.

The zero-click vector is far more insidious as it does not require the target user to click or open a link. Until the WhatsApp case, no example of this was seen in real-world usage. Zero-click vectors generally function via push messages that automatically load links within the SMS. Since a lot of recent phones can disable or block push messages, a workaround has evidently been developed. WhatsApp, in its official statement, revealed that a vulnerability in their voice call function was exploited, which allowed for "remote code execution via specially crafted series of packets sent to a target phone number." Basically, the phones were infected via an incoming call, which even when ignored, would install Pegasus on the device. The data packets containing the spyware code were carried via the internet connection and a small backdoor for its installation was immediately opened when the phone rang. The call would then be deleted from the log, removing any visible trace of infection. The only way you will know if your phone has been infected in the recent attacks is once WhatsApp notifies you via a message on the platform. Lookout Personal is an iOS app from Lookout Security, that could be used to detect the presence of the spyware on iPhones back in 2016, and might prove to still be useful.

Pegasus and Chrysaor

While the main variant of Pegasus is aimed at targeting iPhones, a secondary variant that Google dubbed Chrysaor, is designed to specifically infect Android devices. At the beginning of October, Google's researchers found a vulnerability within the Android OS that granted hackers the ability to gain complete access to at least 18 smartphone models, including Pixel, Xiaomi, Huawei, Motorola, Oppo and Samsung devices. A security patch was released but the damage was already done. Google researcher Maddie Stone claimed that she received information about the bug being allegedly exploited and sold by the NSO Group.

Both variants use the same vectors and offer the same results but differ in terms of initial installation. On the iPhone, once the malicious website has been opened, a chain that targets zero-day vulnerabilities are delivered to the phone. In 2016, these targeted three vulnerabilities, leading to the chain being called 'Trident'. If successful, Trident penetrates the iPhone's security by jailbreaking it and installs Pegasus without permissions and without alerting the user. The three specific vulnerabilities were later fixed by Apple via a security patch but there may be more. iPhones are well known for rigid security and this attack was the first of its kind, according to experts.

Android devices can be attacked and infected by Chrysaor even without exploiting zero-day vulnerabilities by using a complex rooting technique called Frameroot. Rooting grants administrator-level permissions, giving the spyware a higher degree of control over the phone's OS than the users themselves.

The infection

Once infected, almost all the user's data is immediately compromised. Pegasus can record any conversation made in the vicinity via the microphone or the cameras. The live GPS location is tracked at all times and the spyware uses keystroke logging (recording keystrokes) to keep a log of any text message or email typed out after the infection. Any call made is recorded as well as personal data like passwords, contacts and in some cases, biometric information. Financial Times reported that the latest variant of Pegasus can access data from cloud-based accounts and can even bypass two-factor authentication, making the compromised smartphone a digital spy, perhaps the most effective one yet.

The chances of a phone recovering from a Pegasus infection are bleak, with most options leading to a total loss of data on the phone. Pegasus has a 'self-destruct' mechanism that erases itself and wipes the phone if triggered. Backing up the device can potentially trigger it and even if it doesn't, the backup will contain the spyware, resulting in another infected device. Trying to wipe or factory reset the device might also end up triggering it, which may make the phone usable but leaves the user clueless about the data that has already been compromised. Citizen Lab has reason to believe that in some devices, even factory resets might not be able to remove the infection. Pegasus will automatically self-destruct if it hasn't received any communication from the operator's server in 60 days.

Prevention better than cure

While removing a Pegasus infection cannot be successful without data loss, a user can take certain measures to prevent or at least reduce the impact of an infection by malware or spyware. Here's a list:

  • Never open links or download or open files sent from an unknown source
  • Switch off push SMS messages in your device settings
  • If you own an iPhone, do not jailbreak it yourself to get around restrictions
  • Always install software updates and patches on time
  • Turn off Wi-Fi, Bluetooth and location services when not in use
  • Encrypt any sensitive data located on your phone
  • Periodically back up your files to a physical storage
  • Do not blindly approve app permission requests

If your phone has been infected, Citizen Lab has advised users to delink their cloud accounts, replace their device, change all their passwords and enhance online security on the new device.

Get the latest news on new launches, gadget reviews, apps and more on personal technology only on DH Tech.

(Published 01 November 2019, 13:31 IST)

Follow us on