<https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones>


What is Pegasus spyware and how does it hack phones?
Pegasus can infect a phone through ‘zero-click’ attacks, which do not require 
any interaction from the phone’s owner to succeed.

NSO Group software can record your calls, copy your messages and secretly film 
you
David Pegg and Sam Cutler
Sun 18 Jul 2021 17.00 BST

Last modified on Mon 19 Jul 2021 09.53 BST

It is the name for perhaps the most powerful piece of spyware ever developed – 
certainly by a private company. Once it has wormed its way on to your phone, 
without you noticing, it can turn it into a 24-hour surveillance device. It can 
copy messages you send or receive, harvest your photos and record your calls. 
It might secretly film you through your phone’s camera, or activate the 
microphone to record your conversations. It can potentially pinpoint where you 
are, where you’ve been, and who you’ve met.

Pegasus is the hacking software – or spyware – that is developed, marketed and 
licensed to governments around the world by the Israeli company NSO Group. It 
has the capability to infect billions of phones running either iOS or Android 
operating systems.

The earliest version of Pegasus discovered, which was captured by researchers 
in 2016, infected phones through what is called spear-phishing – text messages 
or emails that trick a target into clicking on a malicious link.
Quick Guide
What is in the Pegasus project data?
Show

Since then, however, NSO’s attack capabilities have become more advanced. 
Pegasus infections can be achieved through so-called “zero-click” attacks, 
which do not require any interaction from the phone’s owner in order to 
succeed. These will often exploit “zero-day” vulnerabilities, which are flaws 
or bugs in an operating system that the mobile phone’s manufacturer does not 
yet know about and so has not been able to fix.

In 2019 WhatsApp revealed that NSO’s software had been used to send malware to 
more than 1,400 phones by exploiting a zero-day vulnerability. Simply by 
placing a WhatsApp call to a target device, malicious Pegasus code could be 
installed on the phone, even if the target never answered the call. More 
recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, 
giving it backdoor access to hundreds of millions of iPhones. Apple says it is 
continually updating its software to prevent such attacks.

Technical understanding of Pegasus, and how to find the evidential breadcrumbs 
it leaves on a phone after a successful infection, has been improved by 
research conducted by Claudio Guarnieri, who runs Amnesty International’s 
Berlin-based Security Lab.

“Things are becoming a lot more complicated for the targets to notice,” said 
Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS 
messages for more subtle zero-click attacks.
Pegasus: the spyware technology that threatens democracy – video
04:55
Pegasus: the spyware technology that threatens democracy – video

For companies such as NSO, exploiting software that is either installed on 
devices by default, such as iMessage, or is very widely used, such as WhatsApp, 
is especially attractive, because it dramatically increases the number of 
mobile phones Pegasus can successfully attack.

As the technical partner of the Pegasus project, an international consortium of 
media organisations including the Guardian, Amnesty’s lab has discovered traces 
of successful attacks by Pegasus customers on iPhones running up-to-date 
versions of Apple’s iOS. The attacks were carried out as recently as July 2021.

Forensic analysis of the phones of victims has also identified evidence 
suggesting NSO’s constant search for weaknesses may have expanded to other 
commonplace apps. In some of the cases analysed by Guarnieri and his team, 
peculiar network traffic relating to Apple’s Photos and Music apps can be seen 
at the times of the infections, suggesting NSO may have begun leveraging new 
vulnerabilities.

Where neither spear-phishing nor zero-click attacks succeed, Pegasus can also 
be installed over a wireless transceiver located near a target, or, according 
to an NSO brochure, simply manually installed if an agent can steal the 
target’s phone.

Once installed on a phone, Pegasus can harvest more or less any information or 
extract any file. SMS messages, address books, call history, calendars, emails 
and internet browsing histories can all be exfiltrated.

“When an iPhone is compromised, it’s done in such a way that allows the 
attacker to obtain so-called root privileges, or administrative privileges, on 
the device,” said Guarnieri. “Pegasus can do more than what the owner of the 
device can do.”

Lawyers for NSO claimed that Amnesty International’s technical report was 
conjecture, describing it as “a compilation of speculative and baseless 
assumptions”. However, they did not dispute any of its specific findings or 
conclusions.

NSO has invested substantial effort in making its software difficult to detect 
and Pegasus infections are now very hard to identify. Security researchers 
suspect more recent versions of Pegasus only ever inhabit the phone’s temporary 
memory, rather than its hard drive, meaning that once the phone is powered down 
virtually all trace of the software vanishes.

One of the most significant challenges that Pegasus presents to journalists and 
human rights defenders is the fact that the software exploits undiscovered 
vulnerabilities, meaning even the most security-conscious mobile phone user 
cannot prevent an attack.

“This is a question that gets asked to me pretty much every time we do 
forensics with somebody: ‘What can I do to stop this happening again?’” said 
Guarnieri. “The real honest answer is nothing.”
_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa

Reply via email to