What is Pegasus spyware and how does it infect your phone ?

The American newspaper "New York Times" reported that the Israeli company "NSO" closed the "Pegasus" spyware system, which it had developed and was used to hack the phones of journalists in the Al Jazeera network, in July of this year. The report cited a source within the Israeli company, stating that their decision to close the "Pegasus" spyware system came after its exposure.

Europe Scandal :

The President of the European Commission stated on Monday that the use of spyware to target journalists is completely unacceptable. This statement came in response to reports indicating the use of spyware produced by an Israeli company to infiltrate the mobile phones of a group of journalists, government officials, and human rights activists worldwide.

Ursula von der Leyen added, "If this has happened, it is entirely unacceptable and goes against any rules in the European Union."

An investigation, conducted by 17 media organizations and published last Sunday, revealed that the "Pegasus" spyware program, produced by the Israeli company NSO, was used to breach the phones of journalists, officials, and activists in various parts of the world.

The investigation, carried out by 17 international media outlets, including Le Monde, Süddeutsche Zeitung, The Guardian, and The Washington Post, is based on a list obtained by the organizations Forbidden Stories and Amnesty International.

The list includes the numbers of at least 180 journalists, 600 politicians, 85 human rights activists, and 65 businesspeople, according to the group's analysis. The Israeli group's spyware program was confirmed to have breached or attempted to breach 37 phones.

What is this program?  How dangerous is it?  And, most importantly, what technology does it use to target its victims?

NSO Group :

NSO Group is an Israeli company specializing in the development of cyber espionage tools. It was founded in 2010 and employs approximately 500 people, with its headquarters located near Tel Aviv.

The company has been the subject of significant controversy in recent years. Citizen Lab, a Canadian internet watchdog, has stated that the company's "Pegasus" system, which it markets, is used by countries with questionable human rights records and a history of arbitrary state security behavior.

Pegasus is a high-cost spyware program. According to a 2016 price list published by Fast Company, NSO Group charges customers $650,000 to breach 10 devices, in addition to half a million dollars in installation fees.

Pegasus discovered :

"Pegasus" is considered one of the most dangerous and sophisticated spyware programs, specifically targeting devices running the "iOS" operating system by Apple. However, there is a version of it for Android devices that differs somewhat from the "iOS" version.

Researchers first discovered this program in August 2016 after an unsuccessful attempt to install it on the iPhone of a human rights activist in the United Arab Emirates named Ahmed Mansoor, through a suspicious link in a text message. The investigation revealed details about the program, its capabilities, and the security vulnerabilities it exploits.

Kaspersky, a specialized antivirus software company, explains that Pegasus falls under the category of "modular malware." In other words, it is composed of modules. It starts by "scanning" the targeted device, then installs the necessary module to read user messages and emails, listen to calls, capture screen images, record keystrokes, extract browser history, and access contacts.

Moreover, it can listen to encrypted audio files and read encrypted messages due to its ability to record keystrokes and audio. It steals messages before they are encrypted (and incoming messages after decryption).

John Scott-Railton, a researcher at Citizen Lab, states that the program can do anything users can do, including reading text messages, operating the camera and microphone, adding and deleting files, and processing data.

How does Pegasus work?

The "phishing" method is the most common way to infect a device with this spyware program. In this method, an email is sent to the victim containing a suspicious link. When the victim clicks on it, the virus is installed on the device.

Initially, when the virus was first discovered, it targeted non-jailbroken iOS devices, making it one of the most sophisticated attacks seen. The program relies on three vulnerabilities that were previously unknown in the iOS operating system, ranging from version "7" to "9.3.4." These vulnerabilities, known as "zero-days," allow the virus to silently penetrate the operating system and install spyware.

Since Pegasus is an extremely targeted and expensive spyware program, it is used to attack individuals of "high value," such as political activists or others who have access to important, sensitive, and confidential information.

However, it may also be used to target specific entities for multiple purposes, including corporate espionage. Often, CEOs, CFOs, executives, and financial teams are targeted because they usually have access to sensitive data, especially through their mobile devices.

iOS and Android:

The Android version, discovered in 2017, is not significantly different from the iOS version. However, it does not rely on "zero-day" vulnerabilities to compromise the device but rather uses a well-known method to bypass device protection called "Framaroot."

Another difference is that if the iOS version fails to bypass device protection, the entire attack fails. In contrast, if the Android version fails to gain root access to the phone to install spyware, it will still attempt to request the necessary permissions to collect some data at least.

Protecting your smartphone from Pegasus spyware :

Usually, when a new version of the "Pegasus" program for the "iOS" system is released, Apple acts quickly to address it and has issued a security update that patches all the mentioned vulnerabilities. Google, on the other hand, employs a different approach by directly alerting the targeted individuals about the virus.

If you have updated your "iOS" operating system to the latest version and have not received any warning messages from Google, you are likely safe from Pegasus, according to Kaspersky. It's always essential to keep your device updated with the latest security patches and install robust security solutions.

Regrettably, preventing zero-click attacks is an extremely challenging task, even for those with specialized training in cybersecurity. Nevertheless, there are measures you can implement to enhance your smartphone's defenses against Pegasus spyware:

• Store your device(s) in a Faraday bag or sleeve when not actively using them.
• Exercise caution when opening links, files, or email attachments, sticking to known and trusted sources.
• Avoid clicking on suspicious links or those received via SMS.
• Consider disabling messaging platforms like iMessage and WhatsApp, especially if they aren't essential for your communication.
• Encrypt all sensitive data and information on your device.
• Reboot your device on a daily basis and consistently update it with the latest security patches.
• Install robust antivirus software on your device, including one that monitors for any signs of jailbreaking.
• Always use a Virtual Private Network (VPN) to encrypt your internet traffic.
• Refrain from using public Wi-Fi, even when using a VPN, if possible.
• Utilize strong, difficult-to-guess passwords and implement multi-factor authentication (MFA) for each of your devices.

Over the past two years, the "Citizen Lab" research laboratory has scanned the internet for servers linked to "Pegasus" and found its traces in 45 countries, including 17 Arab countries. These countries include Algeria, Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Saudi Arabia, Tunisia, the UAE, and Yemen. Additionally, countries like the United States, the United Kingdom, Canada, France, Israel, and Turkey were also identified.

The lab stated in its report, published on its website last September, that there appears to be significant expansion in the use of Pegasus in the Gulf Cooperation Council (GCC) countries. At least six operators focusing primarily on the UAE, one on Bahrain, and another on Saudi Arabia were identified for critical operations.

The future of the Pegasus :

No one can confirm that the Israeli company behind the "Pegasus" program will completely halt its operations. These software tools can be used to develop new software that can hide and operate more efficiently than the old ones. Unfortunately, the only way to know for sure is to catch new victims, which restarts the same cycle.