Pegasus And How The Spyware Invades Phones And What It Does When It Gets In?
A new tool, more powerful than even has emerged in the field of political and industrial espionage, Pegasus. It has caused a furore among nation states and organizations all around the world with everyone scrambling to secure their people, assets, and data.
Numerous high ranking government officials, politicians, journalists, activists, and other influential individuals across the globe have been infected with the spyware. This has had far reaching implications on the political landscape of numerous nations with widespread protests and demonstrations witnessed in several nations against its usage.
What is Pegasus?
Is Pegasus a hacking software or spyware? It is pipped as the best version of both worlds that was developed, marketed, and licensed to governments around the world by the Israeli company NSO Group. This is because of the intrusive nature it possesses where it can infect and silent surveillance on billions of phones running either iOS or Android operating systems.
Pegasus was first discovered in 2016 in a group of mobile devices which were infected via a spear phishing campaign which tricked users into clicking on malicious links which would install the spying software. However, recent versions of the spyware are much more sophisticated and require zero interaction from the victim for delivery and execution.
How it works?
The spyware executes via a zero-click exploit. This means that a victim does not need to interact with the initial delivery vector of the spyware for the malicious code to be executed. The victim receives a message on SMS, WhatsApp, iMessage or any other messaging application. As soon as the message is received the spyware is executed and all traces of the message are deleted. This implies that the user’s device will be infected with the spyware, without the user being aware of even receiving any suspicious message.
As soon as the malicious software is executed it connects back to the Command & Control( C&C) server from where it receives further instructions.
Below is a concise attack-flow of how Pegasus infects mobile devices
Why is it dangerous?
Once infected the spyware has complete access over a victim’s device. This means that everything from the user’s chat history, internet usage and even their mobile banking passwords can be leaked.
Some of the activities that can be performed by Pegasus are activating the victim’s microphone to record their conversations which can be sent back to the C&C server, monitoring the user’s activities via the devices camera, tracking the user’s whereabouts via their GPS hardware and software, exfiltrating sensitive files and information stored on the victim’s device, continuous observation of the victim’s screen, download of additional malicious software on the device, viewing all conversations via chat apps such as WhatsApp, SMS, iMessage and other applications, and sending messages from the victim’s device to others numbers.
How do I know if I am infected?
It is nearly impossible to detect the Pegasus Spyware. Its complex, highly developed, and adaptive mechanism makes it very difficult to detect. The infected devices will not even show any lags or visible signs.
There may be some tell-tale signs that may suggest that the device has been compromised, however they cannot be relied upon
Some of them are:
Unrecognized software installed on the device.
Abnormal overheating of the device in low to moderate usage.
Messages sent to contacts which the victim may not recognize as having sent.
Suspicious redirects in web browsing history.
A Forensic Analysis of the mobile device is the best way to determine if a device may be infected. Although the analysis will not definitively prove or disprove an infection, it will be able to identify the presence of Indicators of Compromise (IOC) on the device which will help to ascertain whether the device is infected.
Amnesty International has provided a detailed document providing the Indicators of Compromise. Additionally, they have also released a tool along with the methodology to conduct a forensic analysis on both Android and iOS devices.
What can I do to stay protected?
Although there is no fool proof way to protect yourself from Pegasus as it requires no interaction from the user to infect a device, certain mobile hygiene may ensure security to a certain degree.
One way is to avoid the usage of smart phones altogether. However, this might be highly impractical to many users if not all. Instead, it may be prudent to keep separate devices, to limit the damage that a potential infection may cause. The more sensitive the nature of the data on the device, the less it should be exposed to possible attack surfaces. The device on which you receive confidential calls or messages should be separate from the device with which you browse the internet, view WhatsApp, and perform other non-sensitive activity.
Additionally, one should keep their Android/iOS updated with the latest security patches. Apple and Google have both released security patches specifically for Pegasus spyware to mitigate the risk of Pegasus on iOS and Android.
Another important aspect towards protection from Pegasus is situational awareness. While Pegasus or other sophisticated malicious software may be zero-click attacks, it may be sensible to exercise caution when receiving any suspicious messages. The user should ensure that the person or the source from where the link originates is a trusted one. Users should be particularly cautious and aware about the fact that a determined adversary will very carefully craft a message to make it appear as though it is from someone the user trusts and/or will be regarding a topic of interest to the user.
While seemingly obvious, physical access to one’s device should be restricted using password, pin, bio-metric, or a combination of the three. Furthermore, usage of public and free Wi-Fi services should be avoided as they usually are the breeding grounds of attackers and adversaries.
Last but not the least, vigilance and awareness may be the only way to defeat or at least limit the damage of Pegasus or any other spyware. If an infection is suspected, immediately reach out to a cyber expert or a forensic expert to have the device inspected, cleaned, and dispose of appropriately if required.
