Pegasus, the spyware made by Israeli firm NSO Group, was used to hack into the phones of at least 1,400 people globally by exploiting a vulnerability via WhatsApp to get into a user’s device.
Once in the device, the device is as good as unlocked for the attacker, giving them access to all the apps in the phone. In other words, the attacker has complete control of the phone and can access any app, be it Telegram, Signal, Skype or payment wallets.
The spyware contains code that is capable of spying, collecting data, and reporting back on what the user does on the device – everything; calls, emails, texts, location, app data, etc. It remotely collects all the information about a target's device, wherever they are.
According to the NSO Group’s own product description manual, the spyware gives the attacker “unlimited” access to the target’s devices.
Target Oblivious to Attack
The installation is entirely concealed and the target will not be aware that software is being installed on their device.
However, such malware is likely to be vulnerable to most commercially available anti-virus and anti-spyware software. As such, they leave traces and are fairly easily detected on the device by these software.
Works Across Platforms
Although this particular hack, where about 121 Indians were targeted, happened through WhatsApp, the spyware can trace data from any application on the phone. According to a Lookout report, it can access anything – from logs, mails, passwords, messages, calls and more, from apps including, but not limited to:
- FaceTime
- Gmail
- Line
- Mail.Ru
- Calendar
- Surespot
- Tango
- Viber
- Skype
- Telegram
- KakaoTalk
Installation
NSO says that installing the spyware is the most sensitive and important phase of the intelligence operation.
Following are the various ways an attacker can install Pegasus on a target:
1. REMOTE INSTALLATION
Over-the-Air (OTA): A push message is remotely and covertly sent to the mobile device. This message triggers the device to download and install the agent. During the entire installation process, no cooperation or engagement of the target is required (eg: no need to click a link, or open a message) and no indication appears on the device.
The installation is totally silent and invisible and cannot be prevented by the target. This is NSO’s uniqueness, which differentiates Pegasus significantly from other spyware.
2. ENHANCED SOCIAL ENGINEERING
Enhanced Social Engineering Message (ESEM): In cases where OTA installation method is inapplicable, the system operator can choose to send a regular text message (SMS) or an email, luring the target to open it. A single click on the link will result in hidden agent installation.
Following are a few 'benefits' and ‘features’ of Pegasus:
BENEFITS
- Unlimited access to target's mobile devices: Remotely and covertly collect information about a target's relationships, location, phone calls, plans and activities – whenever and wherever they are.
- Intercept calls: Transparently monitor voice and VoIP calls in real-time
- Bridge intelligence gaps: Collect unique and new types of information (eg, contacts, files, environmental wiretap, passwords, etc) to deliver the most accurate and complete intelligence.
- Handle encrypted content and devices: Overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world.
- Application monitoring: Monitor a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger (BBM).
- Pinpoint targets: Track targets and get accurate positioning information using GPS.
- Service provider independence: No cooperation with local Mobile Network Operators (MNO) is needed.
- Discover virtual identities: Constantly monitor the device without worrying about frequent switching of virtual identities and replacement of SIM cards.
- Avoid unnecessary risks: Eliminate the need for physical proximity to the target or device at any phase.
FEATURES
- Penetrates all Android, BlackBerry, iOS and Symbian based devices
- Accesses password-protected devices
- Extracts contacts, messages, emails, photos, files, locations, passwords, processes list and more
- Accesses password-protected devices
- Leaves no trace on the device
- Self-destruct mechanism in case of exposure risk
- Retrieves any file from the device for deeper analysis
Unlike other such software, which provide only future monitoring of partial communications, Pegasus allows the extraction of all existing data on the device.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)