By Silas Jonathan
Pegasus is a sophisticated spyware developed by the Israeli cyber-arms firm NSO Group that can be discreetly installed on mobile phones running most versions of iOS and Android to infiltrate users’ personal information. The tool has been primarily used to hack the smartphones of targeted victims worldwide.
Your end-to-end encrypted social media apps such as WhatsApp and Facebook are not so ‘encrypted’. In essence, it is technological policies that guard your privacy and your activities online. While these policies have been reliable, at least for the time they lasted, your online activities are not so privately protected as you may think. They may be protected, but when those who seek your private information are after it, you can do little or nothing about it. And Pegasus guarantees that. Pegasus is a spyware that bypasses all the protective devices on your smartphone; infiltrates your personal data, and supplies it to those seeking it.
Pegasus is developed by the Israeli cyber arms firm NSO Group; it can be discreetly installed on mobile phones without the user’s knowledge. The Pegasus spyware enters a smartphone and takes control of everything including functionalities such as the camera and microphone.
Built to infiltrate phones operating on Android, Blackberry, iOS, and Symbian to open them to surveillance, the spyware does not need users’ consent or actions to carry out its operations successfully.
Although the NSO Group was founded in 2010 with the sole purpose of developing best-in-class technology to help government agencies detect and prevent a wide range of global and local threats, there have been concerns from journalists, human rights activists, politicians, and other individuals over direct use of spyware on them to stifle democracy, especially in autocratic nations.
The earliest reported use of Pegasus was by the Mexican government in 2011 to track notorious drug baron Joaquín “El Chapo” Guzmán.
Jamal Khashoggi, the murdered Saudi-Arabian dissident was said to have been monitored using the Pegasus Spyware
In August 2016, an investigation revealed failed attempts to install the spyware on a human rights activist. The news attracted wide attention and was widely regarded as the “most sophisticated” privacy bridge on a smartphone.
This set of events marked the earliest use of the tool to track down persons. Nonetheless, numerous documentaries and investigations that were eventually released revealed that the spyware has been used to track people acquainted with the murdered Saudi Arabian dissident, Jamal Khashoggi.
Pegasus at work…
Like most software, Pegasus has witnessed evolutions that improve its operations. While former versions of the tool subscribe mainly on the user’s susceptibility to click the spear-phishing link sent to the phone or click a document, dummy message, or miss calls that covertly installs the spyware, the latest version of Pegasus is now more sophisticated and does not need the user’s input. It can now simply penetrate a smartphone, especially through the widely used, end-to-end encrypted messaging app like WhatsApp without the phone’s user even noticing.
According to the Regional Editor of The Conversation Africa, Adejuwon Soyinka, “since 2019, Pegasus users have been able to install the software on smartphones with a missed call on WhatsApp, and can even delete the record of the missed call, making it impossible for the phone’s owner to know anything is amiss. Another way is by simply sending a message to a user’s phone that produces no notification.”
This reality simply indicates that the updated version of the spyware does not need the smartphone holder to do anything. As Soyinka puts it “All that is required for a successful spyware attack and installation is having a particularly vulnerable app or operating system installed on the device. This is known as a zero-click exploit.” This can be carried out in different ways, The Indian Express explained that “one over-the-air (OTA) option is to send a push message covertly that makes the target device load the spyware, with the target unaware of the installation over which she anyway has no control.”
The Washington Post also reported an international investigation on 23 Apple devices that were successfully hacked. “Zero-click” attacks can work on even the newest generations of iPhones, even after years of effort in which Apple attempted to close the door against unauthorized surveillance.
Will Cathcart, WhatsApp’s Chief Executive Officer, even expressed his disappointment with the NSO and explained that “A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”
“Once it is installed on the user’s phone, Pegasus can harvest any data from the device and transmit it back to the attacker. It can steal photos and videos, recordings, location records, communications, web searches, passwords, call logs, and social media posts. It also has the capability to activate cameras and microphones for real-time surveillance without the permission or knowledge of the user,” Cathcart said.
Which type of people are targeted?
The NSO said it created the Pegasus spyware to help government agencies quell terrorism and insecurity. While countries like India, Mexico, Saudi Arabia, and some other nations are known to have used or are still using the Pegasus spyware, there is, however, an ambiguity about who or what types of people are being targeted and why.
However, the renowned stories around Jamal’s Khashoggi’s murder show the tool is widely used by suppressive governments around the world to monitor and track the activities of journalists and human rights activists. According to Amnesty International, there is a list that contains phone numbers that were marked as “of interest” to NSO’s various clients, though it’s not known if any of the phones associated with numbers have actually been tracked.
This reality has led to an in-depth investigation by a media consortium called the Pegasus Project over 50, 000 phone numbers. Though the research could only trace the actual identities of 1,000 people in over 50 countries from the list, conclusive findings show that the people who appeared on the list are neither terrorists nor criminals but politicians, government workers, journalists, human rights activists, business executives, and Arab royal family members.
The Pegasus Project reports “the NSO Group says it builds Pegasus solely for governments to use in counterterrorism and law enforcement work. The company markets it as a targeted spying tool to track criminals and terrorists and not for mass surveillance. The company does not disclose its clients.”
A tool to detect the Pegasus Spyware
This is a question that has been asked countless times by persons who have come across or heard about Pegasus spyware. The singular answer to this question is that there is no particular way or sign to do so. However, there is a Toolkit developed by Amnesty International that verifies the status of devices and allows users to know if their mobile phones were infected with the spyware.
This Toolkit has been boosted by Switzerland-based developer DigiDNA by improving on their iOS device manager, iMazing. The tool detects all sorts of spyware including Pegasus. According to terms outlined by the DigiDNA company, the spyware detection tool is only for iOS devices and does not also analyze jailbroken iPhones (allowing the phone’s owner to gain full access to the root of the operating system and access all the features). You can read more on how to install the app on iPhone here.
You can do something about it: It’s not a totally helpless situation
Nonetheless, it is pertinent to note that Pegasus has its own lapses and gaps. According to a Pegasus brochure, “installation from browsers other than the device default (and also chrome for android based devices) is not supported by the system”. This implies that one way to swerve the spyware is to change the default phone browser. This action halts the installation of spyware.
According to a set of precautions against Pegasus presented by the Indian Times, thoughtful cyber hygiene can safeguard against spyware’s baits. But when Pegasus exploits a vulnerability in one’s phone’s operating system, there is nothing one can do to stop a network injection. Worse, one will not even be aware of it unless the device is scanned at a digital security lab.
The article further outlines that “Switching to an archaic handset that allows only basic calls and messages will certainly limit data exposure, but may not significantly cut down infection risk. Also, any alternative devices used for emails and apps will remain vulnerable unless one forgoes using those essential services altogether.”
“Therefore, the best one can do is to stay up to date with every operating system update and security patch released by device manufacturers, and hope that zero-day attacks become rarer. And if one has the budget, changing handsets periodically is perhaps the most effective, if expensive, remedy.”
“Since the spyware resides in the hardware, the attacker will have to successfully infect the new device every time one changes. That may pose both logistical (cost) and technical (security upgrade) challenges. Unless one is up against unlimited resources, usually associated with state power.”
The Pegasus spyware has no doubt altered cybersecurity. While the protection built against it is no match for its influence and ravaging capacity, the Pegasus spyware, like many other technologies that have come before it, will eventually give way and perhaps be forgotten. However, until that time comes, smartphone users will continue to be vulnerable to this spyware, since end-to-encrypted applications are also susceptible to “mighty Pegasus” and cannot protect one’s private information.