What is Pegasus spyware? How is it transmitted?
Pegasus spy software developed by Israeli NSO Group can hack iPhone 12 using the latest iOS version without any clicks.
Smartphones belonging to more than three dozen journalists, human rights activists and corporate executives were infected with powerful spyware that an Israeli firm was selling to catch alleged terrorists and criminals, The Washington Post and other sources reported .
What is Pegasus spyware?
Pegasus is a developed by the Israeli NSO Group. By taking advantage of zero-day exploits, the software can infect directly via SMS, without the victim having to click anywhere. Since zero-day vulnerabilities are unpatched, Pegasus can even infect an iPhone with the latest iOS.
The Israel-based spyware vendor has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico and other countries were found to be using malware against journalists, activists and other groups unrelated to terrorism or crime.
How Is Pegasus spyware Infected?
Pegasus spyware is often installed via “zero-click” vulnerabilities, such as those sent via text messages (SMS), that do not require victim interaction. After vulnerabilities have secretly jailbroken or rooted a target’s iPhone or Android device, Pegasus immediately begins to swarm through the device’s system resources. The software copies call histories, text messages, calendar entries and contacts. It can activate the cameras and microphones of compromised phones to eavesdrop on nearby activities.
It can also track the target’s movements and steal messages from end-to-end encrypted chat apps.
iPhone 12 with iOS 14.6 Can Be Hacked
According to a study jointly conducted by 17 news organizations, Pegasus infected 37 phones belonging to people who did not meet the criteria that NSO said were necessary to use powerful spyware. According to the Washington Post , the victims included journalists, human rights activists, company executives and two women close to the murdered Saudi journalist Jamal Khashoggi. Technical analysis from Amnesty International and the University of Toronto Citizens Lab confirmed that the devices in question had been hacked.
“The Pegasus attacks detailed in this report and its appendices are from 2014 to July 2021,” Amnesty International researchers wrote . “This includes so-called ‘zero-click’ attacks that do not require any interaction with the target.
Zero-click attacks have been observed since May 2018 and still continue. Recently, a successful “zero-click” attack was observed that exploited multiple zero-day vulnerabilities to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.”
All 37 affected devices were included in the list of more than 50,000 phone numbers. It is unknown who put the numbers, why, and how many of the phones were actually targeted or spied on. However, forensic analysis of 37 phones often shows a tight correlation between a number on the list, tracking initiated in some cases as little as a few seconds, especially when looking at timestamps.
Amnesty International and a Paris-based nonprofit journalism called Forbidden Stories were able to access the list and share it with news organizations that continue to conduct further research and analysis.
Reporters identified more than 1,000 people in more than 50 countries whose numbers are on the list. Among the victims were more than 600 politicians and government officials, including members of the Arab royal family, at least 65 business executives, 85 human rights activists, 189 journalists and cabinet ministers, diplomats, military and security officials. The list also included the numbers of several heads of state and prime ministers. Meanwhile,
The Guardian said the leaked list includes 15,000 politicians, journalists, judges, activists and teachers in Mexico .
Who Was Targeted?
In detail, it seems that hundreds of journalists, activists, academics, lawyers and even world leaders are targeted here. Journalists on the list have worked for leading news organizations such as CNN, Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, Financial Times in London and Al Jazeera in Qatar.
“The targeting of 37 smartphones appears to contradict NSO’s stated purpose to license Pegasus spyware,” the Washington Post wrote. “The evidence from these smartphones, which appears here for the first time, questions the Israeli company’s commitment to police its clients for human rights abuses.”
NSO’s Description
NSO officials vehemently deny the investigation. The company wrote in the statement :
Forbidden Stories’ report is full of false assumptions and unconfirmed theories that cast serious doubts on the credibility and interests of the sources. It seems that “unidentified sources” gave information that has no factual basis and is far from reality.
After checking their claims, we strongly reject the unfounded claims in their report. Their sources have provided them with information that has no factual basis, as evidenced by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from the truth that the NSO is considering filing a defamation lawsuit.
The NSO Group has good reason to believe that allegations of Forbidden Stories by anonymous sources are based on misleading interpretations of data from accessible and open basic information, such as HLR Lookup services, which have nothing to do with the list of targets of customers of Pegasus or other NSO products.
Such services are open to anyone, anywhere and anytime and are widely used by government agencies and private companies around the world for a variety of purposes.
Claims that data is leaked from our servers are completely false and ridiculous because such data is not available on any of our servers.
Apple Description
Apple officials wrote in their statement:
Apple unequivocally condemns cyberattacks against journalists, human rights activists and others trying to make the world a better place. Apple has been leading the industry in security innovation for over a decade, and as a result, security researchers agree that the iPhone is the most secure consumer mobile device on the market. Attacks like the ones described are quite complex, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.
While this means that there is no threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers and are constantly adding new protections for their devices and data.
Not NSO’s First Incident spyware
This is not the first time that NSO’s Pegasus spyware has been found to be targeted by journalists, dissidents and others with no clear ties to crime or terrorism and has come under international criticism. NSO spyware came to light in 2016 when Citizen Lab and security company Lookout found it targeted a political dissident in the United Arab Emirates .
At the time, researchers determined that text messages sent to UAE dissident Ahmed Mansoor exploited three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked web pages led to a chain of attacks that would jailbreak his iPhone and install the Pegasus spyware.
Eight months later, researchers from Lookout and Google spotted a Pegasus version for Android.
In 2019, Google’s Project Zero vulnerability research team found that NSO exploited zero-day vulnerabilities that gave full control over fully patched Android devices. Days later, Amnesty International and Citizen Lab announced that the mobile phones of two prominent human rights activists were repeatedly targeted by Pegasus. That same month, Facebook sued the NSO for attacks that used clickless vulnerabilities to compromise WhatsApp users’ phones.
Last December, Citizen Lab said a clickless attack developed by the NSO targeted 36 journalists by exploiting a zero-day vulnerability in Apple’s iMessage.
The spyware that NSO and similar companies sell is extremely complex, costly to develop and even more expensive to purchase. Smartphone users are unlikely to be on the receiving end of one of these attacks, unless they are the target of a wealthy government or law enforcement agency. People in this latter category should seek guidance from security experts on how to secure their devices.