Is Pegasus spyware a security nightmare for mobile devices?

Pegasus Spyware has been alleged to spy on 50,000 mobile devices of prominent individuals around the world.
22 July 2021

Illustration shows a smartphone with the website of Israel’s NSO Group, which features ‘Pegasus’ spyware.(Photo by JOEL SAGET / AFP)

Spyware continues to be a major cybercrime tool for espionage and monitoring activities, both of individuals and companies and increasingly via their devices. As such, the Pegasus spyware, which was developed by an Israeli company, was reported to have been used to spy on government leaders, journalists, lawyers, and anti-corruption fighters around the world.

According to investigative reports by The Guardian and several other publications, as many as 50,000 mobile numbers of individuals from more than 50 countries have been targeted for surveillance. Some of the prominent individuals include Morocco’s King Mohammed VI, French President Emmanuel Marcon, Indian opposition leader Rahul Gandhi, members of the Saudi royal family, as well as the developer “unhackable app” Telegram, Pavel Durov.

Allegations of Pegasus being used by the Indian government have also led to protests in the nation with Indian opposition parties disrupting parliament, demanding an investigation into the allegations. Pegasus works by gaining access to an infected phone’s hard drive. It can then view photos, videos, emails, and texts on any application, even if they have been encrypted. Spies using the software can record conversations on or near a device and also activate its cameras, as well as locate users.

Simply put, information on any infected device is no longer safe. To infect a phone, the spyware creates a fake WhatsApp account to make video calls. The moment a user’s phone rings, a malicious code is transmitted, and the spyware is installed on the device.

Private Israeli firm NSO Group has denied media reports its Pegasus software is linked to the mass surveillance of journalists and rights defenders, and insisted that all sales of its technology are approved by Israel’s defence ministry. (Photo by Mario GOLDMAN / AFP)

NSO Group, the developer of Pegasus, had also exploited vulnerabilities in Apple’s iMessage. Apple has since released a statement condemning the cyberattacks and also said they have “led the industry in security innovation and, as a result, security researchers agree that iPhone is the safest, most secure consumer mobile device on the market.”

The statement also said that “attacks like the ones described are highly sophisticated, and are used to target specific individuals.” The company added they will continue to work on defending their customers from any cyberattacks and are constantly adding new protections to their devices and data.

Interestingly, NSO has released a statement as well, denying the allegations made against their product. The company said they “do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” NSO also said they will investigate misuse of the technology and “will shut down the system where necessary”.

Spyware vs Ransomware

Mark Bowling, Vice President of Security Response Services, ExtraHop reached out to TechHQ to share his views on the situation. According to Bowling, NSO’s tactics are yet another example of how tools and techniques that were once the sole purview of nation-states have made their way into the private sector.

“We’ve recently seen tactics like zero-day exploits and supply chain compromises used in major ransomware attacks like Colonial Pipeline and Kaseya. Unlike ransomware syndicates like Darkside or REvil, NSO began as a legitimate operation selling commercial software. As this latest reporting makes clear, however, the tactics they employ look a lot like nation-state espionage, and indeed, amount to the privatization of cyber espionage at a scale not previously seen,” he explained.

Attacks on critical infrastructure and supply chains have painted a dire picture of just how far ransomware attackers will go to make money. Yet, tracking down the culprits often isn’t as big an obstacle as apprehending them, and acting on that information typically requires international cooperation.

Unlike ransomware, spyware like Pegasus does not block access and demand ransom. Instead, spyware is used to target specific individuals. The same spyware can also be used for espionage purposes to spy on businesses or other targets of high value. Operated by state-sponsored hackers or international cybercrime syndicates, spyware like Pegasus can be very powerful tools used for the wrong purposes.

So can we protect ourselves against spyware? One of the reasons why Pegasus was successful was because it was not easily detectable by most endpoint protection software. The efficiency for Pegasus to infect devices — even if nothing is clicked on — raises serious concern about “zero-click” capability attacks.

Cybersecurity firms and app developers need to find more efficient ways in detecting such malware and blocking them from infecting a device. While it may be some time before that happens, users also need to be more on-alert when using their devices.