Pegasus spyware recently came to the international limelight in mid-July 2021 when a coalition of 17 news organizations including The Washington Post, Le Monde, and The Guardian started reporting on a major investigation around it.
Dubbed the Pegasus Project, the investigation was led by Paris-based non-profit Forbidden Stories, an organization of reporters that deep-dives into stories where the original journalists have been silenced. Forbidden Stories collaborated with Amnesty International.
While this investigation brought Pegasus to global attention, cybersecurity experts have known of its existence for years. And it has been covered in the news multiple times before.
Researchers at Lookout blogged about Pegasus in August 2016. The malware was discovered when UAE human rights activist Ahmed Mansoor received a number of SMS messages containing what he believed were suspect links. He forwarded the messages to the University of Toronto’s Citizen Lab who, together with Lookout, found that his iPhone would have been infected by sophisticated spyware if he clicked on the links.
In 2019, instant messaging behemoth WhatsApp sued Pegasus’ developer claiming the spyware was behind the hack of more than 1,300 devices over a 2-week period. The hack leveraged an exploit in WhatsApp’s code. The lawsuit is still ongoing as of the publishing of this post.
What Is Pegasus?
Pegasus spyware is developed by Israel-based NSO Group. While spyware has been with us for decades now, what has made Pegasus stand out is not just how it could hack fully updated smartphones but also its use by government agencies as a surveillance tool.
The team of journalists in the Pegasus Project claimed to have accessed more than 50,000 phone numbers of surveillance targets of the NSO Group’s clients. NSO, however, has disputed the authenticity of this list.
From the list of 50,000, the Pegasus Project investigation allegedly linked over 1,000 government officials, human rights activists, journalists, and business people. An analysis of 67 phones of the numbers of this shortlist of 1,000 found that intrusions or attempted intrusions came shortly after the number was added to the list.
NSO and a number of governments have issued statements in response to the Pegasus Project.
What Is Spyware?
Spyware is a form of malware (or malicious software) that is installed on a target computing device without the device user’s knowledge or explicit consent. It infiltrates the device’s system and applications to extract confidential information then relay it to the spyware’s author or client.
The author or client could be governments, hacking groups, data firms, advertisers, jealous spouses/partners, suspicious employers, concerned parents, and other interested parties.
Of all types of malware, spyware is arguably the most dangerous. It could track user’s login credentials, track browsing activity, capture credit card numbers, track user location, intercept emails and texts, access multimedia files, and even record conversations.
The most advanced spyware such as Pegasus is often deployed by intelligence agencies and law enforcement. That said, terrorist organizations and sophisticated criminal groups may have the means to purchase such tools.
The NSO Group
Founded in 2010, NSO is a private Israel-based company specialized in developing spyware. Pegasus is NSO’s signature product. The company claims it works with customers in 40 countries including 60 government agencies.
NSO has offices in Cyprus and Bulgaria, has 750 employees, and had revenues exceeding $240 million in 2020. The business’ majority owner is the London-based private equity firm Novalpina Capital.
As you would expect, NSO won’t say who its clients are. The company cites confidentiality agreements. However, Citizen Lab security researchers documented suspected Pegasus-infected devices in 45 countries as of 2018.
These countries included Brazil, Canada, Egypt, France, India, Mexico, the Netherlands, Poland, Saudi Arabia, South Africa, Thailand, Turkey, the United States, and the United Kingdom. That being said, the presence of an infected device does not necessarily mean the government of the country in question is necessarily an NSO client.
How Spyware Works
Spyware can infiltrate a target device in multiple ways. Often, this will happen via a misleading app package, an email attachment, an SMS, a malicious website, deceptive pop-up ads, or via portable storage.
In its least harmful form, spyware will run as the device starts then generate pop-up ads and/or slow down the web browser. It could change the browser’s homepage, redirect searches, and even provide artificial search results. Spyware can alter files responsible for Internet connectivity, thus creating network failures that are difficult to diagnose.
At its most harmful, such as Pegasus, spyware will use screen captures and keyloggers to track passwords, personal identification numbers, credit card numbers, banking records, browsing history, emails, SMS, and phone calls. This information can thereafter be the basis for extensive surveillance or identity theft. The data may also be sold in the black market to criminal groups and rogue governments.
Why Spyware Is So Dangerous
Almost any data or communication on the infected device is vulnerable. Personal information, emails, SMS, social media posts, encrypted chat apps, browser history, camera, microphone, calls, call logs, device location, device movement, documents, notes, and multimedia files. Nothing is off-limits.
Advanced spyware such as Pegasus often has the ability to activate cameras and microphones without turning on the device screen or any other indicator of such activation.
You would expect encryption to be an effective defense against spyware. However, end-to-end encryption tools are often designed to protect the information in transit from man-in-the-middle attacks. End-to-end encryption is not as effective against device attacks targeting the data before transmission or after receipt. Spyware on the device can read the data at rest.
Spyware could also make changes to firewall settings while altering critical security configurations in order to create opportunities for more malware. Certain forms of spyware can even detect when the device is trying to remove them and will block attempts to do so.
Types of Spyware
Spyware is actually a diverse group of program types. Types of spyware include the following. Note that certain forms of spyware such as Pegasus may combine the characteristics of the different types of spyware.
Adware will use tracking cookies to record the device user’s browsing habits, downloads, and personally identifiable information (PII). The adware vendor or client then uses the information they gather to generate advertising that the user is likely to be interested in. Adware is often bundled with freeware, shareware and utilities downloaded to the user’s device.
Keyboard Loggers (Keyloggers)
Keyloggers facilitate the theft of login credentials, PII, and sensitive enterprise data.
Keyloggers may be used by an employer keen on tracking employee activities, by parents to monitor their children’s Internet usage, by device owners to keep tabs on device theft or unauthorized activity on their devices, by law enforcement agencies to investigate crime-related incidents, or by authoritarian regimes to spy on rights activists.
Keyloggers may come in software or hardware form. Hardware keyloggers resemble a USB drive and, when installed on a desktop computer, form a physical connection between the keyboard and computer. Software keyloggers are downloaded and executed unwittingly.
A Trojan is malware disguised as genuine software. The victim unknowingly installs the application giving the Trojan access to the device. Depending on the Trojan author’s intention, it could delete files, grant data access to unauthorized persons or encrypt files for a ransom.
Is Your Device Vulnerable to Pegasus Infection?
In theory, virtually every smartphone is susceptible to Pegasus. However, given that NSO’s clients are mostly comprised of government agencies, the overwhelming majority of smartphone users are unlikely to be a target.
Terrorists, criminals, politicians, government officials, diplomats, human rights workers, journalists, business leaders, prominent persons, as well as their associates and relatives are far more likely to be in the crosshairs of government surveillance.
How to Detect Spyware
Spyware is designed to be more difficult to detect than other forms of malware. It is built to work stealthily and not raise the device user’s suspicion. Therefore, devices hacked with advanced spyware such as Pegasus may have to be subjected to expert technical examination before they can display evidence they’ve been targeted. At least before antivirus vendors catch up on the spyware’s signature.
In the case of Pegasus, Amnesty International’s Security Lab developed a test to inspect phones for signs of infection. Individuals whose numbers were on the list were asked to volunteer analysis of their phones and 67 agreed. Of these, 23 had evidence of successful infection, 14 had traces of an attempted hack while 30 turned up inconclusive.
For more regular spyware, the first sign of infection is often a noticeable deterioration in network connection, processor speed, battery life, and/or data usage. The device may also crash regularly, pop-up ads appear even when offline or there may be a rapid reduction in free device space. Other signs include receiving odd emails, text messages, or social media messages.
Antispyware tools can help in the detection, removal, and prevention of spyware.
How to Remove Spyware
To remove most spyware, follow these steps sequentially only stopping when you are confident you have eliminated it.
- Disconnect the device’s Internet. Check the list of installed programs to see if the spyware is listed there. If it is, uninstall it.
- If you don’t see spyware among installed applications, run a system scan using a reputable antivirus application from vendors such as Symantec, Kaspersky, and McAfee. The scan may pick up suspicious applications or files and would ask if you want to quarantine, clean, or delete the suspicious item.
- In case the virus scan yields nothing but you still suspect something untoward is going on, download a specialized antispyware tool and let it run a scan of the system. Only use reputable antispyware like Trend Micro HouseCall and Malwarebytes.
- Access the device’s hard drive in safe mode, identify the spyware folders and delete them manually.
- Back up all data on the device then reset it to factory settings.
- Contact a cybersecurity expert.
How to Prevent Spyware
Adhering to cybersecurity best practices is the most effective means of preventing spyware infection. These practices include the following.
- Download applications from trusted, official sources. For desktop and laptop computer users, that means downloading applications from the vendor’s official website. For smartphone users, download apps from official app stores (such as Google Play Store and Apple App Store).
- Read through the terms and conditions before installing software.
- Do not click on pop-up ad windows.
- Use an ad or pop-up blocker
- Stay current with software updates and security patches for operating systems, browsers and applications. Enable automatic updates.
- Do not click on links or open attachments from unknown sources.
- Install reputable antivirus and antispyware tools.
- Conform to the principle of least privilege when granting user’s permissions.
- Ensure remote access occurs over a virtual private network.
You may not consider yourself prominent enough to be a target of spyware such as Pegasus. Nevertheless, if your sixth sense tells you that your device could be under third-party surveillance, act quickly to regain your privacy. In the worst case, that may mean disposing of the device entirely and obtaining a new one.