It is the name for perhaps the most powerful spyware ever developed – certainly by a private company. Once it sneaks into your phone without you noticing, it can become a 24 hour surveillance device. It can copy messages you send or receive, collect your photos, and record your calls. It could secretly film you through your phone’s camera or activate the microphone to record your conversations. It can potentially determine exactly where you are, where you have been, and who you met.
Pegasus is the hacking software – or spyware – developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It can infect billions of phones running iOS or Android operating systems.
The earliest version of Pegasus, discovered by researchers in 2016, infected phones through what is known as spear phishing – text messages or emails that trick a target into clicking a malicious link.
Since then, however, NSO’s attack capabilities have advanced. Pegasus infections can be reached through so-called “zero-click” attacks, which do not require any interaction from the phone owner to be successful. These often exploit âzero-dayâ vulnerabilities, which are errors or bugs in an operating system that are not yet known to the manufacturer of the mobile phone and therefore could not be remedied.
In 2019, WhatsApp announced that NSO’s software had been used to deliver malware to 1,400+ phones by exploiting a zero-day vulnerability. Simply making a WhatsApp call to a target device could install malicious Pegasus code on the phone even if the target never answered the call. More recently, NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is constantly updating its software to prevent such attacks.
The technical understanding of Pegasus and how to find the conclusive breadcrumbs it leaves on a phone after a successful infection has been enhanced through research by Claudio Guarnieri, who heads Amnesty International’s Berlin security laboratory.
“Things are getting a lot harder for the targets to notice,” said Guarnieri, who stated that NSO clients had largely abandoned suspicious SMS messages for more subtle, zero-click attacks.
Companies like NSO find it particularly attractive to take advantage of software that is either installed by default on devices, like iMessage, or very common, like WhatsApp, because it dramatically increases the number of cell phones that Pegasus can successfully attack.
As a technical partner of the Pegasus Project, an international consortium of media organizations including the Guardian, Amnesty’s laboratory has discovered traces of successful attacks by Pegasus customers on iPhones with the latest versions of Apple’s iOS. The attacks were only carried out in July 2021.
Forensic analysis of the victims’ phones also found evidence that NSO’s constant search for vulnerabilities may have been extended to other popular apps. In some of the cases that Guarnieri and his team analyzed, strange network traffic related to Apple’s Photos and Music apps can be seen at the time of the infections, suggesting that NSO may have started to exploit new vulnerabilities.
Where neither spear phishing nor zero-click attacks succeed, Pegasus can also be installed near a target via a wireless transceiver or, according to an NSO brochure, simply installed manually if an agent can steal the target’s phone.
Once installed on a phone, Pegasus can collect more or less all information or extract any file. Text messages, address books, call logs, calendars, emails, and Internet browsing histories can all be exfiltrated.
“If an iPhone is compromised, it is done in a way that allows the attacker to gain so-called root or administrator rights on the device,” said Guarnieri. “Pegasus can do more than the owner of the device can.”
NSO attorneys alleged that Amnesty International’s technical report was a conjecture, calling it “a compilation of speculative and unsubstantiated assumptions”. However, they did not dispute any of its specific findings or conclusions.
NSO has made significant efforts to make its software more difficult to detect, and Pegasus infections are now very difficult to identify. Security researchers suspect that newer versions of Pegasus only ever use the phone’s temporary memory and not the hard drive, which means that practically all traces of the software disappear after the phone is switched off.
One of the biggest challenges Pegasus poses to journalists and human rights defenders is that the software exploits undiscovered vulnerabilities so that even the most security-conscious mobile phone user cannot prevent an attack.
“I get this question almost every time we do forensics with someone: ‘What can I do to prevent this from happening again?'” Guarnieri said. “The really honest answer is nothing.”