What is Pegasus, how to protect against it and other FAQs answered
On July 19, an international media consortium revealed how Pegasus – spyware by the Israeli NSO Group being sold only to governments – was used to potentially surveil over 50,000 phone numbers worldwide including over 300 from India. In India, this included the numbers of over 40 journalists, opposition leaders, a sitting judge, and several business persons and activists.
A day later, on July 20, it was reported that Amazon Web Services had shut down the infrastructure and accounts related to NSO Group. This came after the investigation, which revealed what is being called the ‘Pegasus Snoopgate’, by Amnesty International and Paris-based non-profit Forbidden Stories, found that the information from phones infected with Pegasus spyware was sent to a “service fronted by Amazon CloudFront” in recent months. CloudFront is a content delivery network that facilitates quick and reliable delivery of content – such as data, videos, applications – to users by its customers. As per Amnesty’s report, the use of cloud services would protect the NSO Group from internet scanning techniques.
What is Pegasus?
Pegasus is a spyware that can infect Android or iOS phones and turn these into surveillance devices. The earliest version of the hacking software was spotted by researchers in 2016. At the time, Pegasus would infect phones by ‘spear phishing’ i.e. through text messages or emails containing a malicious link that the target would click on, The Guardian reported.
However, the technology has grown more discreet and dangerous since then, and now, Pegasus could infect a phone without any user interaction or with ‘zero-click’. These exploit “zero-day” vulnerabilities–– flaws and bugs in a phone’s operating system – that the phone’s manufacturer is unaware of or has been unable to fix.
“Both spyware and zero-day vulnerabilities can be sold and bought by various groups on the darknet,” said Dmitry Galov, security researcher at GReAT, Kaspersky. “The price of vulnerabilities can reach $2.5 million - this is how much was offered in 2019 for the full chain of vulnerabilities in Android.”
In 2019, WhatsApp alleged that 1,400 of its users had been targeted by Pegasus, exploiting these “zero-day” vulnerabilities, for example, by simply making a WhatsApp call to a target phone even if it was not answered. The instant messaging service had filed a lawsuit against NSO Group in October 2019.
How does Pegasus work?
Pegasus hacks a victim’s phone and collects information by controlling the phone’s microphone, cameras, and also reading the recording communication made via calls and texts. Designed to bypass detection, once it hacks a phone, Pegasus can pretty much harvest any information including SMS, emails, photos and videos, contacts, WhatsApp chats, recording calls, accessing calendar and GPS data, among other things.
According to Galov, when Pegasus for Android was studied in 2017, “it was able to read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history.”
More recently, it appears that suspicious SMS messages have been largely abandoned by NSO Group clients to infect a target’s phone, Claudio Guarnieri, who runs Amnesty International’s Security Lab, told The Guardian. Instead, exploiting software installed by default on devices such as iMessage on iPhones, is more attractive because it significantly increases the number of phones Pegasus can potentially hack. The same logic applies for the popularity of using popular apps like WhatsApp. Guarnieri also said that NSO is constantly searching for weaknesses in phones and has expanded means to infect phones to other commonplace apps – in some cases, peculiar traffic was noticed on Apple’s Photos and Music apps at the time of infection.
It is also suspected that Pegasus is so hard to identify on the phone because its recent versions are only ever stored in the phone’s temporary memory. This means that the spyware is not on the phone’s hard drive. So, once the phone is powered down, virtually all signs of Pegasus also vanish.
When did snooping on Indian numbers start?
Some of the prominent Indian names whose phones were reportedly infected with the spyware were political analyst Prashant Kishor, The Wire journalist Rohini Singh, the publication’s editor-in-chief Siddharth Vardarajan, former EPW editor Paranjoy Guha Thakurta, TV18 anchor Smita Sharma, The Hindu journalist Vijaita Singh, Congress leader Rahul Gandhi, Union IT Minister Ashwini Vaishnaw, virologist Gagandeep Kang, Delhi University professor Abdul Rahman Geelani, and eight activists, lawyers and academics arrested between June 2018 and October 2020 in relation to the Elgar Parishad case, as well as the woman who accused former CJI Ranjan Gogoi of sexual harassment, among others.
According to reports, the selection of Indian numbers started around the time Prime Minister Narendra Modi visited Israel in 2017 and met with the then Israeli Prime Minister Benjamin Netanyahu. It marked the first visit of an Indian PM to the country.
Apart from India, the other numbers found to be targeted by Pegasus have been traced to Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
How can you protect your devices against Pegasus and other spyware?
Software such as Pegasus are hard to detect and it is possible for a device to get infected despite precautions – simply because these use vulnerabilities that have not yet been found or fixed by manufacturers. However, there are some steps that can be taken to at least lessen the chances.
According to a report in The Washington Post, which was part of the media consortium that worked on Project Pegasus, one precaution is to keep your device and its software updated by activating automatic updates. Devices older than five years, especially if those are using outdated operating systems are especially vulnerable.
Another way to increase security on your devices is to use a unique and difficult to guess password for each device, site and app. A secure password manager can be used to manage these. Activating two-step authentication is also helpful i.e. where a site will ask for a code sent to your phone or another authenticator in addition to your password.
An oft-repeated tip but nevertheless valuable is to not click on suspicious links or attachments, especially from sources and people you do not recognise. Activate disappearing messages where possible, which allows for communication to vanish after a stipulated time period.
This Twitter thread by finance writer at Morning Context, Advait Palepu, also lists a number of tools and ways that can be used to enhance security on your devices.
“The best way to stay protected against such tools is to provide as much information on these cases as possible, to related software and security vendors,” said Galov. And added, “Software developers will fix the vulnerabilities exploited by the attackers and security vendors will take measures to detect and protect users from them.”