Built by Israeli company NSO Group, also known as Q Cyber Technologies, the spyware can be used to record calls, copy and send messages, or even film people through phone cameras. Spyware can and has been used to target both Apple iOS and Android devices.
Early versions of using Pegasus forced targets to click on malicious links sent to lure them in, which resulted in the software being silently installed on their smartphones and allowed for monitoring of their private data, including passwords. , calls, texts and emails.
Spyware has the potential to turn smartphones into 24-hour surveillance devices. This is aided in part by the spyware’s ability to evade most forensic analysis, avoid detection by antivirus software, and be silently disabled or removed by its operators.
Once installed, experts say, Pegasus connects devices to so-called Command and Control (C2) servers, which are computers or domains used to send and receive commands and data to those devices. .
Pegasus is designed to use minimal bandwidth consumption, to evade suspicion, by sending regular and scheduled updates to C2s.
C2s domains can therefore be used to confirm a Pegasus hack, correlating the likely timeline of when a device may have been infected with the timestamps of various data on linked C2 servers.
For example, one of these forensic methods used by Amnesty International is based on a “temporal correlation” between the first appearance of data in the logs and the communication of the phones with known Pegasus installation servers.
Experts, including those at Citizen Lab, an interdisciplinary lab based at the University of Toronto, are reporting concerns about current versions of Pegasus that are more advanced.
These “zero click” attacks are used by exploiting vulnerabilities or “zero day” bugs in the operating systems of devices that have not yet been patched.
In December of last year, researchers, including the lab’s Bill Marczak, noted in a report that government agents were using this advanced version of the spyware to hack 36 personal phones of journalists, producers, presenters and executives of a information network. Al Jazeera.
They pointed out one of those “zero click” exploits on the iMessage app that was used against iOS 13.5.1 to hack Apple’s latest iPhone 11.
Marczac noted in a tweet on Sunday that the latest iPhones could also be vulnerable to such click-less attacks, adding that there could be a “MAJOR issue of five flashing red alarms with iMessage security.”
To identify the Apple devices operated by Pegasus, Amnesty International analyzed the records of process executions and their respective network usage in “DataUsage.sqlite” and “netusage.sqlite”, two database files stored in iOS devices.
While the former is in the iTunes app’s backup folder, the latter cannot, according to the organization.
Amnesty International’s forensic analysis revealed that devices communicating with Pegasus C2 domains contained recordings of a suspicious process related to browser exploitation which “prepares for its infection with the full Pegasus suite” .
Amnesty has named 45 of these suspicious processes in its draft report, 28 of which are in common with another draft report independently published by The Citizen Lab.
Hackers can even go to great lengths to design targets socially and subsequently install vulnerabilities in their devices.
In one such incident, the wife of a murdered Mexican journalist received alarming texts about her husband’s murder to trick her into clicking a link and infecting her phone with Pegasus.
Another version of the spyware targeted 1,400 phones via a software vulnerability that was exploited through a missed voice call on WhatsApp.
The Facebook-owned social media company said it identified and fixed the bug soon after.
Experts warn that all of the vectors and methods used to infect devices with spyware are not publicly known, fueling concerns of a growing computer arms race.
“We believe that remedying this problem will not be easy or straightforward. It will take a coalition of stakeholders, including governments, the private sector and civil society to rule in what is now a ‘wild west’ of absolute abuse, ”the Citizen Lab report noted.
Experts have warned that the NSO Group – which only sells Pegasus to governments – and other companies are equipping authoritarian governments with powerful tools to hold politicians and administrators to account.
“Failure to act urgently in the face of this critical public emergency threatens liberal democracy and human rights around the world,” they noted.