What is Pegasus spyware and how does it hack phones? | monitoring


It is the name for perhaps the most powerful spyware ever developed – certainly by a private company. Once it sneaks into your phone without you noticing, it can become a 24 hour surveillance device. It can copy messages you send or receive, collect your photos, and record your calls. It could secretly film you through your phone’s camera or activate the microphone to record your conversations. It can potentially determine exactly where you are, where you have been, and who you met.

Pegasus is the hacking software – or spyware – developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It can infect billions of phones running iOS or Android operating systems.

The earliest version of Pegasus, discovered by researchers in 2016, infected phones through what is known as spear phishing – text messages or emails that trick a target into clicking a malicious link.

quick start Guide

What is included in the Pegasus project data?

show

What’s in the data leak?

The data leak is a list of more than 50,000 phone numbers believed to have been selected as those of people of interest since 2016 by government customers of the NSO Group, which sells surveillance software. The data also includes the time and date numbers were selected or entered into a system. Forbidden Stories, a Paris-based non-profit journalism organization, and Amnesty International initially had access to the list and shared it with 16 media organizations, including the Guardian. More than 80 journalists worked together on the Pegasus project for several months. Amnesty’s Security Lab, a technical partner in the project, carried out the forensic analyzes.

What does the leak indicate?

The consortium believes the data indicates potential targets that NSO’s government customers have identified in advance of possible surveillance. While the data is indicative of intent, the presence of a number in the data does not indicate whether an attempt was made to infect the phone with spyware such as Pegasus, the company’s signature monitoring tool, or whether an attempt was successful. The presence of a very small number of landline and US numbers in the data that NSO says are “technically impossible” with their tools shows that some destinations were chosen by NSO customers despite not being with Pegasus could be infected. However, forensic examinations of a small sample of cell phones with numbers on the list found close correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases just a few seconds.

What did the forensic analysis show?

Amnesty examined 67 smartphones suspected of being attacked. Of these, 23 were successfully infected and 14 showed signs of attempted penetration. The remaining 30 tests were unsuccessful, in several cases because the handsets were replaced. Fifteen of the phones were Android devices, none of which showed signs of successful infection. However, unlike iPhones, phones running Android don’t log the types of information that Amnesty’s detective work requires. Three Android phones showed signs of targeting, such as SMS messages linked to Pegasus.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specializes in examining Pegasus, which confirmed they were showing signs of Pegasus infection. Citizen Lab also peer reviewed Amnesty’s forensic methods and found them to be solid.

Which NSO clients selected numbers?

While the data is organized in clusters that point to individual NSO clients, it does not tell which NSO client was responsible for selecting a particular number. NSO claims to sell its tools to 60 customers in 40 countries but refuses to identify them. By carefully examining the targeting pattern of individual customers in the leaked data, the media partners were able to identify 10 governments believed to be responsible for target selection: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab also found evidence that all 10 are customers of NSO.

What does the NSO group say?

You can read the full statement from the NSO Group here. The company has always said that it has no access to the data of its clients’ goals. Through its attorneys, NSO said the consortium made “wrong assumptions” about which customers are using the company’s technology. The 50,000 figure was said to be “excessive” and the list could not be a list of numbers “targeted by governments with Pegasus”. Lawyers said NSO had reason to believe that the list the consortium is accessing “is not a list of numbers targeted by governments with Pegasus, but instead could be part of a larger list of numbers that are being targeted.” may have been used by NSO Group’s customers for others ”. Purposes “. After further questioning, the lawyers said the consortium based its findings “on the misleading interpretation of leaked data from accessible and overt base information such as HLR lookup services that did not affect the list of client targets of Pegasus or others”. NSO products … we still don’t see any correlation between these lists and anything related to the use of NSO group technologies. “

What is HLR Lookup Data?

The term HLR or Home Location Register describes a database that is essential for the operation of cellular networks. Such registers keep records of telephone users’ networks and their general locations along with other identifying information that is routinely used in routing calls and texts. Telecommunications and surveillance experts say HLR data can sometimes be used in the early stages of a surveillance attempt to determine if a phone can be connected. The consortium knows that NSO clients have the ability to perform HLR searches through an interface in the Pegasus system. It is unclear whether Pegasus operators are required to conduct HRL searches through their interface in order to use their software; an NSO source emphasized that their customers may have several reasons, independent of Pegasus, for performing HLR searches through an NSO system.

Thank you for your feedback signal.

Since then, however, NSO’s attack capabilities have advanced. Pegasus infections can be reached through so-called “zero-click” attacks, which do not require any interaction from the phone owner to be successful. These often exploit “zero-day” vulnerabilities, which are errors or bugs in an operating system that are not yet known to the manufacturer of the mobile phone and therefore could not be remedied.

In 2019, WhatsApp announced that NSO’s software had been used to deliver malware to 1,400+ phones by exploiting a zero-day vulnerability. Simply making a WhatsApp call to a target device could install malicious Pegasus code on the phone even if the target never answered the call. More recently, NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is constantly updating its software to prevent such attacks.

The technical understanding of Pegasus and how to find the conclusive breadcrumbs it leaves on a phone after a successful infection has been enhanced through research by Claudio Guarnieri, who heads Amnesty International’s Berlin security laboratory.

“Things are getting a lot harder for the targets to notice,” said Guarnieri, who stated that NSO clients had largely abandoned suspicious SMS messages for more subtle, zero-click attacks.

Companies like NSO find it particularly attractive to take advantage of software that is either installed by default on devices, like iMessage, or very common, like WhatsApp, because it dramatically increases the number of cell phones that Pegasus can successfully attack.

As a technical partner of the Pegasus Project, an international consortium of media organizations including the Guardian, Amnesty’s laboratory has discovered traces of successful attacks by Pegasus customers on iPhones with the latest versions of Apple’s iOS. The attacks were only carried out in July 2021.

Forensic analysis of the victims’ phones also found evidence that NSO’s constant search for vulnerabilities may have been extended to other popular apps. In some of the cases that Guarnieri and his team analyzed, strange network traffic related to Apple’s Photos and Music apps can be seen at the time of the infections, suggesting that NSO may have started to exploit new vulnerabilities.

Where neither spear phishing nor zero-click attacks succeed, Pegasus can also be installed near a target via a wireless transceiver or, according to an NSO brochure, simply installed manually if an agent can steal the target’s phone.

Once installed on a phone, Pegasus can collect more or less all information or extract any file. Text messages, address books, call logs, calendars, emails, and Internet browsing histories can all be exfiltrated.

“If an iPhone is compromised, it is done in a way that allows the attacker to gain so-called root or administrator rights on the device,” said Guarnieri. “Pegasus can do more than the owner of the device can.”

NSO attorneys alleged that Amnesty International’s technical report was a conjecture, calling it “a compilation of speculative and unsubstantiated assumptions”. However, they did not dispute any of its specific findings or conclusions.

NSO has made significant efforts to make its software more difficult to detect, and Pegasus infections are now very difficult to identify. Security researchers suspect that newer versions of Pegasus only ever use the phone’s temporary memory and not the hard drive, which means that practically all traces of the software disappear after the phone is switched off.

One of the biggest challenges Pegasus poses to journalists and human rights defenders is that the software exploits undiscovered vulnerabilities so that even the most security-conscious mobile phone user cannot prevent an attack.

“I get this question almost every time we do forensics with someone: ‘What can I do to prevent this from happening again?'” Guarnieri said. “The really honest answer is nothing.”


About Willie Ash

Check Also

SES eagerly awaits the flexibility promised by O3b mPower

EL SEGUNDO, Calif. – At a time of unprecedented change in the satellite communications sector, …

Leave a Reply

Your email address will not be published.