What Is Pegasus Spyware: How Does It Hack And Monitor Your Phone?

A couple of years ago, WhatsApp made a staggering revelation. The ubiquitous Facebook-owned messaging app claimed that journalists and human rights activists in India are being monitored using Pegasus spyware. It also filed a lawsuit against the NSO Group, an Israeli company that manufactures the highly sophisticated hacking software, claiming that Pegasus was used to target more than 1,400 phones.

Unsplash

The spyware is once again in the news following a months-long investigation by an international media consortium, including The Wire in India, into the leak of more than 50,000 phone numbers of potential surveillance targets. More than 1,000 phone numbers in India appeared on the list; over 300 numbers were verified by the consortium; and at least 10 smartphones were targeted with Pegasus -- seven of them successfully -- The Washington Post reported.

What is Pegasus spyware

Pegasus is military-grade spyware developed, marketed and licensed to governments across countries by NSO Group, a private Israeli company. The incredibly powerful spyware first shot to the limelight in 2016 when it was discovered by a UAE human rights activist who happened to be one of its targets. It was a spear-phishing attack, where hackers use malicious links in texts or emails to install the malware in devices. iPhone users were believed to be the target of Pegasus, and several days later, Apple fixed the vulnerability that Pegasus was exploiting to hack phones.

Unsplash

Pegasus turns phone into 24-hour surveillance device

Pegasus is a highly sophisticated malware that adopts powerful encryption to hide from exposure by conventional security tools. The malware self-destructs if the communication with its command-and-control (C&C) server is severed for more than 60 days or if it detects that it was installed on the wrong device with the wrong SIM card.

¡°Pegasus is modular malware. After scanning the target¡¯s device, it installs the necessary modules to read the user¡¯s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. Basically, it can spy on every aspect of the target¡¯s life,¡± cybersecurity company Kaspersky noted.

Unsplash

The spyware can activate cameras or microphones to capture fresh images and recordings without the user¡¯s permission or knowledge. It can listen to calls and voicemails and collect location data -- past and present and whether he¡¯s stationary or moving. Pegasus can even listen to encrypted audio streams and read encrypted messages, including that from WhatsApp and Signal since it steals the data even before they get encrypted.

How Pegasus allegedly hacks phones

The earliest version of Pegasus used a spear-phishing attack to infect phones with malware. It all starts with a website URL sent via SMS, email, social media, etc to a user. One action click on the link and the surveillance software packages are installed after remotely jailbreaking the device. While a certain level of awareness can help prevent such attacks, NSO¡¯s attack capabilities have become more subtle over the years, making it more potent and almost impossible to detect or stop.

Pegasus infections can also be achieved via so-called ¡°zero-click¡± attacks that do not require any interaction from the phone¡¯s owner. It means that your phone could still be hacked even if you¡¯re careful not to click on those malicious links. Most of these attacks exploit vulnerabilities in an operating system that the phone¡¯s manufacturer may not yet know about and so has not been able to fix.

Unsplash

An example of such an attack was revealed by WhatsApp in May 2019 when the spyware targeted a vulnerability in its VoIP stack. Simply by placing a WhatsApp call to a target device, Pegasus could be installed on the phone, irrespective of whether the target answered the call or not.

Pegasus for Android, on the other hand, uses a popular rooting method called Framaroot. This method allows it to directly ask permission from the user to steal some data even if the malware fails to obtain the necessary root access to install surveillance software.

And where neither spear-phishing nor zero-click attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target, or, even manually injected by stealing the target¡¯s phone, The Guardian reported citing an NSO brochure.

iPhone security is no match for Pegasus

Apple iPhones claim to offer better privacy and security than rivals, but they are still vulnerable to ¡°zero-click¡± attacks, Amnesty International said in a report. The report detailed that the Israeli firm NSO Group infected several models of iPhones over the years, adapting as Apple fixed each security bug. In 2019, the group exploited a vulnerability in Apple Photos, followed by an iMessage zero-click, and later Apple Music in 2020.

¡°Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO¡¯s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised,¡± Danna Ingleton, Deputy Director, Amnesty Tech, said in a release.

Unsplash

Zero-click attacks on iPhones have been observed since May 2018 and continue until now to deliver the Pegasus spyware, Amnesty said. Most recently, a successful ¡°zero-click¡± attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.

¡°These most recent discoveries indicate NSO Group¡¯s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,¡± the report added.