Open in app

Sign in

Write

Sign in

Pegasus Spyware

Oguzhan Ozturk
6 min readJul 26, 2021

--

Pegasus is a remote access tool (RAT) with spyware capabilities. Its Android variants are capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber as well as email clients and browsers. The spyware is capable of remote surveillance through the phone’s microphone and camera as well as taking screenshots and keylogging the user’s inputs.

Pegasus is used only on a few individuals, apparently, for surveillance purposes. The minimal spread of the spyware doesn’t make it less dangerous, for each individual is under surveillance the scope of privacy damage is certainly very high. Pegasus can monitor a variety of popular messengers and email providers such as Facebook, WhatsApp, Gmail, Telegram, and others.

Image credit: Prashant Mali on Twitter
Image credit: Prashant Mali on Twitter

Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus. To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.

Source: Hacking Team Emails.

Pegasus exploit links and C&C servers use HTTPS, which requires operators to register and maintain domain names. Domain names for exploit links sometimes impersonate mobile providers, online services, banks, and government services, which may make the links appear to be benign at first glance. An operator may have several domain names that they use in exploit links they send, and also have several domain names they use for C&C. The domain names often resolve to cloud-based virtual private servers (we call these front-end servers) rented either by NSO Group or the operator. The front-end servers appear to forward traffic (via a chain of other servers) to servers located on the operator’s premises (we call these the back-end Pegasus servers).

Who were the targets?

According to the Guardian, Pegasus targeted the mobile phone numbers of the French president, Emmanuel Macron, the South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, along with 11 other heads of state and a number of Mexican targets. This does not mean that particular mobile numbers were selected for actual surveillance using Pegasus, but it is somewhat disturbing. Forensic examinations of a sample of 67 phones found 34 iPhones and three Android phones had contained traces of Pegasus infection or attempted infection. Out of this population, 23 Apple devices were successfully hacked, one of which was running the most current version of iOS.

As I mentioned earlier, politicians weren’t the only targets. Journalists in different countries were targeted, including relatives and associates of Jamal Khashoggi.

in order to see updating list of targets follow:
Who’s on the List — The Pegasus Project | OCCRP
Project Pegasus — Individuals listed, targeted, or compromised — Google Sheets

How was Pegasus detected?

While the NSO Group was good at covering its tracks, it wasn’t perfect. As the Guardian’s research found, “On Android devices, the relative openness of the platform seems to have allowed the company to successfully erase all its traces, meaning that we have very little idea which of the Android users who were targeted by Pegasus were successfully effected. There is a file, DataUsage.SQLite, which records what software has run on an iPhone. It’s not accessible to the user of the device, but if you back up the iPhone to a computer and search through the backup, you can find the file. The records of Pegasus had been removed from that file, of course — but only once. What the NSO Group didn’t know, or perhaps didn’t spot, is that every time some software is run, it is listed twice in that file. And so by comparing the two lists and looking for inconsistencies, Amnesty’s researchers were able to spot when the infection landed.”

Pegasus spyware seller: Blame our customers, not us, for hacking

The maker of powerful spy software allegedly used to hack the phones of innocent people says blaming the company is like “criticizing a car manufacturer when a drunk driver crashes”.

The Israeli company says its software is intended for use against criminals and terrorists and made available to only military, law enforcement and intelligence agencies from countries with good human-rights records.

NSO Group said it had been told the list had been hacked from its Cyprus servers

But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.

“And secondly, we don’t have any data of our customers in our possession.

“And more than that, the customers are not related to each other, as each customer is separate.

“So there should not be a list like this at all anywhere.”

And the number of potential targets did not reflect the way Pegasus worked.

“It’s an insane number,” the spokesman said.

“Our customers have an average of 100 targets a year.

“Since the beginning of the company, we didn’t have 50,000 targets total.”

Security services

Many times in recent years, the company has been accused of allowing repressive governments to hack innocent people, including those close to murdered Washington Post columnist Jamal Khashoggi.

But it denies this and all other allegations.

It does not routinely investigate who is targeted but has systems in place to vet security services it sells to, it says.

Earlier this month, NSO Group launched its Transparency Report, saying: “We must hold ourselves to a higher standard and act with stewardship and transparency… to ensure public safety and concern for human rights and privacy.”

But on Wednesday, the spokesman said: “If I am the manufacturer of a car and now you take the car and you are driving drunken and you hit somebody, you do not go to the car manufacturer, you go to the driver.

“We are sending the system to governments, we get all the correct accreditation and do it all legally.

“You know, if a customer decides to misuse the system, he will not be a customer anymore.

“But all the allegations and all the finger-pointing should be at the customer.”

What can you do to protect your phone?

I want to emphasize that the chances of being struck by Pegasus are less than you being hit by lightning. But you should still practice safe computing on your phone, including doing the following:

  • Only open links from known and trusted contacts and sources when using your device. This is especially relevant if you receive links as text messages.
  • Make sure your device is updated with any relevant patches and upgrades.
  • Limit physical access to your phone by enabling a PIN code as well as finger or face-locking on your device.
  • Use a VPN and a mobile anti-malware tool

Sources:
What is Pegasus, the Israeli mobile phone spyware used by governments around the world? | Euronews
Pegasus (spyware) — Wikipedia
Pegasus spyware seller: Blame our customers, not us, for hacking — BBC News
Pegasus And Spyware | Avast
HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries — The Citizen Lab

Spyware Pegasus
Spyware
Pegasus
Cybersecurity
Threat Intelligence

--

--

Oguzhan Ozturk
Oguzhan Ozturk

Written by Oguzhan Ozturk

167 Followers
18 Following

https://www.linkedin.com/in/oguzhanoz7urk/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams