How Pegasus Spyware Can Bypass Your Phone’s Security
It doesn’t matter if you are using Signal, Telegram or WhatsApp, Pegasus spyware can bypass your phone's security and gain complete access to your device without your knowledge. To learn how to detect the subtle signs and changes in your phone’s performance and about the risks this technology poses to your privacy, read on.
How the Dreaded Spyware Has Changed?
Pegasus, was invented in 2010, yet it took six years for someone to report a suspected spear-phishing attack that led to its discovery. When a text message, promising to reveal alleged crimes against prisoners in the UAE, was received by a human rights activist in 2016, he resisted before impulsively acting on the information. Instead, the intended target forwarded the message to the University of Toronto’s Citizen Lab. The organization studies internet threats at the Munk School of Global Affairs.
Collaborating with Lookout, a security and privacy rights focused foundation, researchers found malware was used to exploit a design flaw and gain unrestricted access to the intended target’s iPhone. Before releasing the story to the media, Apple was informed of the vulnerability to patch it. Lookout noted, “Persistent, enterprise-class spyware is an underestimated problem on mobile devices.”
Developed by Israeli cyber intelligence company NSO Group, Pegasus has continuously evolved to stay ahead of the measures taken to prevent it from penetrating Apple’s iOS and Android operating systems. Pegasus has evolved from being spread through short messaging service texts to ‘zero-click’ attacks. This is concerning because it doesn’t require the user to take any action from their phone. Pegasus is virtually undetectable whether on iOS or Android and is extremely effective at zero-day attacks, which means the phone manufacturer is unaware of the bug or vulnerability exploited prior to the attack.
Three Letter Agency Leaks
When whistleblower Edward Snowden, a former CIA operative and NSA infrastructure analyst, shared US secrets in 2013, the spying tool being used by the NSA was NSOs XKeyscore. The software, also known as XKS, intercepted communications traffic of everyone from European leaders to US citizens. Over 120 global leaders were targeted by the NSA, which listened in on millions of phone calls daily.
XKS was the widest reaching surveillance system at the time, capable of knowing every move made by its targets, from tracking IP addresses and internet searches to reading email and being able to intercept these activities in real time.
Of course, the most shocking news from Snowden’s revelations was not that governments spied on each other. It was the NSAs ability to breach the privacy of everyday citizens who were not suspected of any wrongdoing. Information gleaned by eavesdropping on the public included basic information as well as political alignment, sexual orientation, income, marital status, education level, and more.
Who Uses Spyware?
The Pegasus Project was a collaborative effort to learn who was targeted by users of the NSOs software. The project was coordinated by the journalism non-profit Forbidden Stories and Amnesty International, who invited the Organized Crime and Corruption Reporting Project or OCCRP and a dozen other organizations to help with the investigation, including The Washington Post and The Guardian.
Following the trail of 50,000 leaked phone numbers targeted by Pegasus, investigators found hundreds of unusual suspects being tracked. Targets ranged from academics to activists, journalists and lawyers, including 10 prime ministers, three presidents and a king.
More than 600 government officials and politicians from 34 countries are on the Pegasus Project list. Originally created to fight organized crime and terrorism, NSO reportedly charges $500,000 for Pegasus to be set-up for mostly state operated clients to use. It is relied upon, despite often being considered illegal, by law enforcement, intelligence agencies and governments who spy on friends and foe alike.
In Canada, the RCMP recently admitted to using spyware, although it has yet to be proven whether Pegasus is the tool employed.
Infamous NSO Implant Takedowns
The earliest reported arrest made through Pegasus spyware was that of the Mexican cartel boss known as El Chapo. In 2012, the Mexican government reportedly signed a $20 million contract with NSO to apprehend El Chapo using Pegasus.
The drug lord had been imprisoned and escaped, twice. During this time, he used phones in jail that had been broken with NSO surveillance. El Chapo dreamed of having his life made into a movie or TV series, which he was recorded discussing with his lawyers prior to his escape from prison in 2015.
A Mexican American telenovela star was hired to help him realize this goal. She set up a meeting with Actor/Director/Producer Sean Penn to consider telling his story. The soap opera stars phone had been implanted with Pegasus. Despite great lengths to conceal his whereabouts, authorities tracked his location and communications. Shortly after the meeting El Chapo was arrested again, aided by Pegasus.
Penn is now working on an untitled documentary about Jamal Khashoggi, the US-based journalist and critic of Saudi Arabia's government who was murdered in 2018 at the Saudi consulate in Istanbul. It has been widely reported the Saudi expat was slain after his wife’s iPhone was targeted with Pegasus. However, NSO CEO Shalev Hulio denies the claim. “Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection."
The office of UK Prime Minister Boris Jonson and the Foreign Office were targeted by Pegasus. “Several No 10 mobile phones, including Boris Johnson’s, were tested after the 2020 breach – but UK officials were apparently unable to locate the infected device nor the nature of any stolen data.”
EU lawmakers launched an inquiry into widespread use of Pegasus, which has been used against some of the bloc’s most prominent leaders. Those preyed upon by Pegasus include French President Emmanuel Macron and Spanish Prime Minister Pedro Sánchez.
How Does Spyware Work?
As delineated on Kaspersky.com, a hypothetical zero-click attack might work like this:
- Cybercriminals identify a vulnerability in an app typically used for calling, email or messaging
- Social engineering is used to deceive the target
- The exploit allows malware to infect the device remotely
- The attacker’s email, message, or call won't necessarily remain on the device
- The implanted trojan can be used to take over the user’s device and extract data
“The hack can be a series of network packets, authentication requests, text messages, MMS, voicemail, video conferencing sessions, phone calls, or messages sent over Skype, Telegram, WhatsApp, etc. All of these can exploit a vulnerability in the code of an application tasked with processing the data.” Sensitive private online activity can be leaked, or the user’s movements tracked by malicious actors. Attackers can use a zero-click exploit to gain access to financial information or for identity theft.
Pegasus stands out from a range of similar solutions by using a technique known as Over-the-Air. Implementation of a Pegasus OTA attack isn’t clear, although it relies on zero-day and zero-click exposures. The victim’s phone number or email is used to push a trigger message to install Pegasus. That’s the only information a hacker needs to launch an attack. Facebook Messenger, WhatsApp, Skype, Viber, Telegram, and other free encrypted messaging apps are all frequently targeted and users don’t even have to answer the call or click a link for the spyware to be activated.
Hiding and Seeking Spyware
Because of the way advanced persistent threat software works, Pegasus and other types of surveillance spyware, including Hornbill and SunBird, are extremely difficult to combat even after they are detected. They leave multiple backdoors open to return to for future exploits. ZDNet reported, “Hornbill and SunBird have different approaches to spying. Hornbill is described as a "discreet surveillance tool" designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking.”
Lookout Threat Labs have uncovered a new Android surveillanceware the dubbed Hermit, used by the government of Kazakhstan, which was likely developed by Italian spyware vendor RCS Lab S.p.A. Enabled through SMS messaging, “Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background ... Hermit pretends to come from legitimate entities, namely telecommunications companies or smartphone manufacturers. To keep up this facade, the malware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background.” An iOS Hermit is also circulating.
How to Tell If Your Phone Has Spyware
Pegasus is more effective on iPhones than it is on Android devices because of differences in their rooting technique. Since Pegasus attacks iOS most, Amnesty International created its Mobile Verification Toolkit specifically to support iPhones. MVT needs to be installed on a phone that has had its factory added restrictions removed since the spyware looks for iOS flaws to work, requiring the detector to have similar access. Scanning for viruses will not reveal the presence of Pegasus as it hides within apps.
Spyware, by design, is not noticeable to users. You need to look for changes in your phone’s performance, which could be an indication it has spyware. Symptoms may include:
- faster battery drain
- resets and random shutdowns
- calls from unknown sources
- unusual notifications
- prolonged shutdown times and rebooting difficulties
- increased storage consumption
- sluggish performance
- a screen that randomly lights up in sleep mode
- files with unusual extensions
- questionable apps you don’t recollect installing
How ChatMail Protects You From Pegasus and Similar Exploits
Despite the dire consequences of having spyware implanted on your phone, you can stay safe with the right solution. ChatMail is completely impenetrable by a Pegasus implant. Our SIM cards are not provisioned for calling; therefore, they do not have a phone number to launch a zero-day or zero-click attack. With ChatMail, you can only use data for messaging, which is fully encrypted in transit and at rest. Likewise, you cannot use ChatMail for standard SMS messaging. Additionally, all email is treated like PGP and parsed with ChatMail to be displayed like a chat message, meaning it cannot be used to execute an exploit or implant spyware. Even when using public Wi-Fi your encrypted calling and ChatMail messaging is still secure.
Our proprietary technology goes beyond messaging and calling to keep ChatMail users protected. ChatMail does not allow any third-party apps. GPS location, Bluetooth, and internet browsing have all been disabled. Even the camera is customized and fully encrypted. Furthermore, ChatMail is the only mobile solution to prove our encryption to enterprise organizations with a live data extraction. Trustworthy, tamper-proof ingenuity to safeguard your sensitive information and reputation. Supported by our private data center and industry leading mobile device management.
ChatMail. Engineered for Security. Designed for Privacy.