A globally collaborative investigation called the Pegasus Project has unearthed a massive data leak recently. Amnesty international and Forbidden Stories organized this investigation. The investigators found 50000 phone numbers that were “possibly” targeted by the spyware Pegasus. They have identified around 10000 individuals who are potential targets of this spyware across 50 countries. Among the targets are politicians, journalists, government officials, as well as human rights activists.

An Israeli security company NSO, that developed this spyware maintains that the Israeli government has permitted it to sell Pegasus to only whitelisted governments, along with their intelligence and law enforcement agencies. However, the Pegasus Project investigation indicates that the NSO has supplied the spyware to governments with questionable human rights records. The investigators claim that there has been very little supervision or regulations governing the use of this tool.

What is Pegasus?

Pegasus is spyware that infiltrates phones and other devices using a vector. The vector carries the spyware into the device as a messaging service or an email client. Once Pegasus installs itself on user devices, it transmits their data, activities, and internet usage to the attacker. It can also intercept communications made using the infected device, track its location, and spy on its user through the camera and microphone of the device.

How Does it Get Installed on Your Phone?

Earlier, Pegasus used spear-phishing techniques to infiltrate its targets, which meant that the attacker sent links to the targets using either email or messaging services. When the user clicked on the link, the action installed the spyware on the device. But this technique was not very effective because many people became aware of phishing threats. 

It has now come to light that Pegasus does not need this “click-bait” phishing technique anymore. It uses something called zero-click vulnerability. Using this technique, it can install itself onto a device without its owner initiating an action, like clicking on a link. Spyware can now be downloaded on a computer simply by sending an email. The download occurs not when the unsuspecting user clicks a link in the email, but rather when the email client, like Google, Outlook or Hotmail, receives the email in the inbox. The spyware can be downloaded with the email download, which is before malware scanning occurs. It installs before you can act on it. The victim in most cases does not know an attack is underway.

What Does Pegasus Do Once it is Installed?

According to the Amnesty forensic team investigating the leaked data, Pegasus gives the attacker more control of the device than the owner of the device or its operating system has. The spyware compromises Android devices by “rooting” and Apple devices by “jailbreaking”. As a result, the spyware can change anything on the device. It can also see everything the user is doing on it. The spyware can access files, data logs, and contacts on the device. It can also read emails and messages on the device and transmit the stolen data to the attacker.

It is difficult for the victims to find out that they are Pegasus targets. At the most, they might observe their phone slowing down at times. Many victims might not even identify this as proof of any malicious activity because phones tend to slow down as they get older.

Conclusion: Can We Prevent These Spyware Attacks?

Preventing zero-click attacks is extremely difficult because here, unlike in spear-phishing attacks,  user action does not trigger the infection.

Although these are early stages of discovery and no concrete steps are available to prevent these kinds of attacks, users can take certain precautions to cut their exposure:

  • Users can make sure they are using the latest version of the operating system and that all apps on their devices are up to date. Such precautions help in cases of known vulnerabilities for which fixes are available. But there is no guarantee these fixes ensure the safety of your devices because Amnesty International has reported that Pegasus has breached even phones with the latest operating systems.
  • Users should avoid sideloading any apps that the operating system does not deliver. Many Android users tend to sideload apps, which can be very risky.
  • Another precaution that users can take, although a little inconvenient, is to avoid using apps and log into services using a browser.
  • Regularly audit your installed apps and their permissions and remove ones you do not need

Packetlabs offers a wide array of security services including infrastructure penetration testingapplication testing, and red team exercises to help you protect your most valuable assets. Contact us for a free, no-obligation quote.