A significant journalistic investigation has discovered evidence of dangerous software being deployed by governments all across the world, including suspicions of eavesdropping on public figures.
Journalists identified over 1,000 persons in 50 countries who were allegedly under surveillance using the Pegasus spyware from a list of over 50,000 phone numbers. NSO Group, an Israeli business, developed the software and sold it to government clients.
Journalists, politicians, government officials, CEOs, and human rights advocates have all been reported as targets of the spyware.
So far, reports suggest a surveillance operation akin to an Orwellian nightmare, in which the spyware can record keystrokes, intercept communications, track the device, and spy on the user via the camera and microphone.
How it was done?
The method by which the Pegasus spyware infects victims’ phones is not very hard. The first hack entails sending a specially prepared SMS or iMessage with a link to a website. If you click on this link, you’ll get dangerous malware that infects your computer.
The goal is to gain complete control of the operating system of the mobile device, either by rooting (on Android devices) or jailbreaking (on iOS devices) (on Apple iOS devices).
Rooting an Android smartphone is typically done by the user to instal apps and games from non-supported app stores, or to re-enable a feature that the manufacturer has removed.
On Apple devices, a jailbreak can be used to instal apps that aren’t accessible on the App Store or to unlock the phone so it can be used on different cellular networks. Many jailbreak methods necessitate connecting the phone to a computer every time it is turned on (known as a “tethered jailbreak”).
Rooting and jailbreaking both get rid of the security features built into Android and iOS. They usually consist of a combination of configuration changes and a “hack” of basic operating system features to run customised code.
Once a device has been unlocked, the offender can instal further software to gain remote access to the device’s data and functionality. This user is likely to be fully uninformed of the situation.
The majority of media reporting on Pegasus concern the hacking of Apple devices. The spyware infects Android devices as well, but it isn’t as effective because it relies on an unreliable rooting approach. When the initial infection attempt fails, the spyware is said to request the user to acquire appropriate permissions so that it can be efficiently disseminated.
Apple devices are often thought to be more safe than their Android counterparts, but no device is completely secure.
Apple has tight control over the code of its operating system as well as the programmes available in its app store. This results in a closed system known as “security by obscurity.” Apple also has complete control over when updates are released and how quickly users accept them.
Apple devices are automatically patched to the latest iOS version on a regular basis. This enhances the value of finding a workable compromise to the latest iOS version while simultaneously improving security.
Android smartphones, on the other hand, are built on open-source principles, allowing hardware makers to customise the operating system to add new features or improve performance. We often encounter a significant number of Android devices running various versions, resulting in some devices that are unpatched and vulnerable (which is advantageous for cybercriminals).
In the end, both platforms are vulnerable to hacking. Convenience and motivation are the most important aspects. While developing an iOS malware tool takes more time, effort, and money, having a large number of devices running the same environment increases the chances of success on a large scale.
While many Android devices are likely to be hacked, the variety of hardware and software makes it more difficult to spread a single harmful programme to a large number of people.
Are Only Iphones Vulnerable?
No. The focus of much of the coverage is on iPhones, but that’s only because they’ve proven to be easier to examine for evidence of a Pegasus infection than Android phones. According to an NSO informational paper, Pegasus can infect both. Apple and Google have also issued statements in response to the incident, with Apple condemning attacks on journalists and activists and Google warning users about attempted infiltrations, including those backed by governments.
I think I’ve heard of pegasus before?
For years, the spyware has been in the headlines, frequently in conjunction with occurrences identical to the current one. According to claims from 2017, the spyware was used in attacks against Mexican journalists and activists. In 2019, WhatsApp filed a lawsuit against NSO Group, saying that the software developer was involved in the hacking of over 1,400 devices exploiting a vulnerability in WhatsApp’s technology. Microsoft, Google, Cisco, and other IT giants have expressed support for WhatsApp’s legal action. (According to Politico, the case was still proceeding as of April 2021.)
In 2020, it was reported that the FBI was looking into NSO in relation to the 2018 hack of Jeff Bezos’ telephone.
Who’s behind the targeting of activists and journalists?
We don’t know yet, but it’s not likely to be a single government department or country. The Washington Post cites a list of ten nations from which many of the phone numbers on the list appear to originate, claiming that those countries have previously been linked to NSO. However, because many of the list’s basic facts are still debated, there isn’t enough information to draw firm judgments.
How much does it cost to spy on a phone?
According to The New York Times, NSO Group charged $500,000 to establish up a client’s Pegasus system, and then charged an extra price to actually penetrate people’s phones. The cost of hacking 10 iPhone or Android users was reportedly $650,000 at the time, or $500,000 for infiltrating five BlackBerry users. Clients may therefore pay more to target more users while saving money thanks to bulk discounts: $800,000 for an extra 100 phones, $500,000 for an extra 50 phones, and so on.
What does NSO say about the reports?
Shalev Hulio, the CEO and co-founder of NSO Group, refuted the charges in an interview with Calcalist, claiming that the list of numbers had nothing to do with Pegasus or NSO. He claimed that a list of Pegasus targets (which NSO does not store since it has “no visibility” into what investigations its clients are conducting) would be substantially shorter – he told Calcalist that NSO’s 45 clients average roughly 100 Pegasus targets per year.
Hulio further alleges that NSO has looked into its clients’ use of the programme and found no indication that they targeted any of the phone numbers NSO had been supplied, including Khashoggi’s wife’s. He further claims that it is NSO policy to deny clients access to Pegasus if it is discovered that they are utilising the system for purposes other than what it was designed for.
Why make software like this?
According to NSO, Pegasus is only built for counter-terrorism and law enforcement purposes. According to reports, the company exclusively sells software to government institutions that have been certified by Israel’s Ministry of Defense.
According to the Washington Post, NSO’s CEO believes that “someone needs to do the dirty work” and that Pegasus is “used to handle essentially the worst this world has to offer.”
Are these other companies out there making tools like pegasus?
Absolutely. The Economic Times provides an excellent summary of some of the most high-profile companies working in the sector, as well as an explanation of why many of these companies are based in Israel due to the pattern of Israeli cyberintelligence operatives leaving military duty and creating startups.
Am I being monitored?
While the disclosure of more than 50,000 purportedly monitored phone numbers appears to be a large amount, the Pegasus malware is unlikely to have been employed to track anyone who is not publicly visible or politically active.
Spyware’s fundamental nature is to remain hidden and unnoticed on a device. However, there are measures in place to detect if your device has been hacked.
The Amnesty International Mobile Verification Toolkit is a (relatively) simple way to find out. This utility can check the data and configuration of your mobile device by analysing a backup obtained from the phone and can operate under either Linux or MacOS.
While the study cannot verify or refute whether a device is infected, it can detect “indicators of compromise” that can lead to infection.
The programme may detect the existence of certain software (processes) operating on the device, as well as a variety of domains utilised as part of a spyware network’s global architecture.
How to stay protected?
Although the majority of individuals are unlikely to be targeted by this type of assault, there are still easy actions you can take to reduce your risk of being targeted – not just by Pegasus, but also by other harmful attacks.
1.When using your device, only open links from known and trustworthy contacts and sources. Pegasus is distributed via an iMessage link on Apple devices. And many cybercriminals use this strategy for both virus dissemination and less technical scams. The same precautions apply to URLs received by email or other messaging apps.
2.Ensure that all required patches and upgrades are installed on your device. While having a standardised operating system provides a steady platform for attackers to target, it is still your best defence. If you’re using Android, don’t rely on notifications for new operating system updates. Because your device’s manufacturer may not be delivering updates, you should check for the most recent version yourself.
3.Although it may seem self-evident, you should keep physical access to your phone to a minimum. Enable pin, finger, or face locking on the device to accomplish this. The website of the eSafety Commissioner provides a number of videos that explain how to encrypt your device.
4.When viewing sensitive material, stay away from public and free WiFi (including hotels). When you need to use such networks, using a VPN is a fantastic alternative.
5.Encrypt your device’s data and, if accessible, use remote erase features. If your smartphone is lost or stolen, you can be assured that your data will be safe.
Brief history of Pegasus
2016: Researchers at Canadian cybersecurity organisation The Citizen Lab first encountered Pegasus on a smartphone of human rights activist Ahmed Mansoor.
September 2018: The Citizen Lab published a report that identified 45 countries in which Pegasus was being used. As with the latest revelations, the list included India.
October 2019: WhatsApp revealed that journalists and human rights activists in India had been targets of
surveillance by operators using Pegasus.
July 2021: The Pegasus Project, an international investigative journalism effort, revealed that various governments used the software to spy on government officials, opposition politicians, journalists, activists and many others. It said the Indian government used it to spy on around 300 people between 2017 and 2019.