Everything you need to know about the Pegasus spyware infecting smartphones

By

Pegasus spyware FAQ
And how to tell if your iPhone is infected.
Photo: NSO Group/Cult of Mac

NSO Group’s Pegasus spyware is making headlines again after it was reported that a number of governments around the world have been using it to hack the smartphones of activists, politicians, journalists and other individuals.

A list of potential surveillance targets, which includes more than 50,000 phone numbers, was leaked and obtained by a number of news outlets over the weekend, reigniting concerns over government surveillance.

So, what exactly is Pegasus? And who might be a potential target of an attack? How can you tell if your iPhone already fell victim to the spyware? We rounded up everything you need to know about Pegasus.

What is Pegasus?

Pegasus is sophisticated spyware developed by Israeli firm NSO Group, also known as Q Cyber Technologies. It was first discovered on iOS back in 2016 when Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about prisons in the United Arab Emirates.

However, cybersecurity firm Lookout, the first to investigate the spyware, thinks Pegasus has been around for a lot longer than that. “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code,” said Lookout’s report at the time.

A kernel-mapping table discovered in the spyware included values that dated back to iOS 7, which Apple rolled out in late 2013. And a number of reports, including one from The New York Times, claim leaked emails confirm the United Arab Emirates has been using Pegasus since 2013.

Apple has, of course, rolled out iOS updates that fix the vulnerabilities exploited by various versions of Pegasus since then. However, it seems NSO Group continues to find new routes into Apple’s firmware. And it does so, it claims, to help governments investigate crime and fight terrorism.

But that’s not strictly how Pegasus has been used so far. In its 2016 report, Lookout called Pegasus the “most sophisticated attack we’ve seen on any endpoint.” Lookout also said the spyware was being used to “attack high-value targets for multiple purposes, including high-level corporate espionage.”

How is Pegasus distributed?

What makes Pegasus particularly special, and unlike most of the spyware we typically seen on iPhone and other smartphones, is that it uses a “zero-click” attack. That means it does not require the smartphone’s user to install a malicious app or click a nefarious link. It actually requires no user input at all.

Instead, Pegasus can be injected over the smartphone’s network, either by using a rogue cell tower or with access to real network infrastructure. NSO Group demonstrated this in November 2019 when it exhibited a portable Base Transceiver Station (a rogue cell tower) at the Milipol trade show in Paris.

Placed in the back of a van, the BTS impersonated a legitimate cell tower, forcing handsets within a certain radius to connect to it automatically. Once a connection was made, cell tower traffic could be intercepted and manipulated, allowing Pegasus to be injected into those devices.

iPhones have also been targeted with Pegasus through iMessage and Apple’s Push Notification Service protocol. The spyware can disguise itself as another app — one you already installed — then transmit itself as a notification through Apple’s servers.

So, it’s incredibly difficult to avoid being infected by the Pegasus spyware. There’s little you can do — aside from preventing your device from connecting to cell towers at all — to avoid a possible interception. And once the software makes its way onto your device, it can wreak havoc.

What can Pegasus do?

Pegasus can send all kinds of sensitive data back to an attacker’s servers. This includes contacts, text messages, calendar events and passwords. It can even intercept live voice calls — including those protected by end-to-end encryption — allowing an attacker to listen in.

Pegasus also allows an attacker to take control of a smartphone’s camera and microphone. Plus, it can use a smartphone’s GPS to track a target, all without the owner’s knowledge. It’s designed to evade detection by antivirus software. And an attacker can remotely remove Pegasus if necessary.

Who is at risk?

As explained in the Lookout report, Pegasus attacks seem to be primarily aimed at “high-value targets” such as activists, CEOs, journalists, lawyers and politicians. The attacks are said to be distributed by governments that pay for the spyware, rather than by the NSO Group itself.

In late 2019, it was reported that at least 121 people in India — including more than 40 journalists — had been hit by a Pegasus attack. Indian technology minister Ravi Shankar Prasad said approximately 1,400 people around the world had been targeted around the same time.

Although it’s possible that the average user might fall victim to a Pegasus attack, it is considered highly unlikely. Apple security chief Ivan Krstić told The Washington Post this week that attacks like Pegasus “are not a threat to the overwhelming majority of our users.”

How you can protect yourself from Pegasus spyware

Despite being incredibly sophisticated, requiring only a phone number for access to a target’s device in most cases, Pegasus isn’t 100% effective. In certain scenarios it fails. That means you can take certain steps to help avoid falling prey to a Pegasus attack.

The simplest step you can take is to ensure you keep your iPhone up to date. Apple works constantly to patch any vulnerabilities used by Pegasus and other threats. That means a simple software update could be enough to prevent an attack. Another thing you can do is avoid using Apple’s own Safari browser on iPhone.

According to a brochure on Pegasus from NSO Group, “installation from browsers other than the device default (and also Chrome for Android based devices) is not supported by the system.” When Pegasus comes up against a third-party browser, installation is aborted and a harmless webpage is displayed.

How to tell if your iPhone is infected

Detecting a Pegasus infection used to be nearly impossible. Most targeted individuals never knew they were a target — or that their device was infected. But now you can use a tool, developed by researchers at Amnesty International, that can detect traces of a potential Pegasus infection.

The Mobile Verification Toolkit (MVT) works on both iPhone and Android devices, but requires a Mac or Linux computer for execution. It supports a number of commands that allow you to decrypt an iTunes backup and extract artifacts. Then you can compare them to detect signs of an attack.

You can download the Mobile Verification Toolkit from Github, where you also will find a list of detailed installation and usage instructions.